The size_t
type is the unsigned integer type of the result of the sizeof
operator. Variables of type size_t
are guaranteed to be of sufficient precision to represent the size of an object. The limit of size_t
is specified by the SIZE_MAX
macro.
The type size_t
generally covers the entire address space. [[TR 24731-1]] introduces a new type rsize_t
, defined to be size_t
but explicitly used to hold the size of a single object. In code that documents this purpose by using the type rsize_t
, the size of an object can be checked to verify that it is no larger than RSIZE_MAX
, the maximum size of a normal single object, which provides additional input validation for library functions. See [[STR00-A. Use TR 24731 for remediation of existing string manipulation code]] for additional discussion of TR 24731-1.
Any variable that is used to represent the size of an object including integer values used as sizes, indices, loop counters, and lengths should be declared as rsize_t
if available, otherwise size_t
.
Risk Assessment
The improper calculation or manipulation of an object's size can result in exploitable vulnerabilities.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
INT01-A |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 7.17, "Common definitions <stddef.h>"
[[ISO/IEC 9899-1999]] Section 7.20.3, "Memory management functions"
[[ISO/IEC TR 24731-1-2007]]
INT00-A. Understand the data model used by your implementation(s) 04. Integers (INT) INT02-A. Understand integer conversion rules