The size_t
type is the unsigned integer type of the result of the sizeof
operator. Variables of type size_t
are guaranteed to be of sufficient precision to represent the size of an object. The limit of size_t
is specified by the SIZE_MAX
macro.
The type size_t
generally covers the entire address space. [[TR 24731-1]] introduces a new type rsize_t
, defined to be size_t
but explicitly used to hold the size of a single object. In code that documents this purpose by using the type rsize_t
, the size of an object can be checked to verify that it is no larger than RSIZE_MAX
, the maximum size of a normal single object, which provides additional input validation for library functions. See [[STR00-A. Use TR 24731 for remediation of existing string manipulation code]] for additional discussion of TR 24731-1.
Any variable that is used to represent the size of an object including integer values used as sizes, indices, loop counters, and lengths should be declared as rsize_t
if available, otherwise size_t
.
Non-Compliant Code Example
In this non-compliant code example, the dynamically allocated buffer referenced by p
overflows for values of n > INT_MAX
.
char *copy(size_t n, const char *str) { int i; char *p = (char *)malloc(n); if (p == NULL) { /* Handle malloc failure */ } for ( i = 0; i < n; ++i ) { p[i] = *str++; } return p; } char *p = copy(9, "hi there");
The size_t
type is typically represented by the same number of bits as int
, that is, sizeof(size_t) == sizeof(int))
. In this case, n
might be greater than INT_MAX
. The loop, however, will executes n
times because the comparison i < n
is an unsigned comparison. Once i > INT_MAX
, i
takes on negative values starting with (INT_MIN
). Consequently, the memory locations referenced by p[i]
precede the memory referenced by p
and a write-outside-array bounds occurs.
If size_t
is represented by a greater number of bits than int
, that is sizeof(size_t) > sizeof(int)
, the same behavior occurs for values of n <= UINT_MAX
. For values of n > UINT_MAX
all of memory within [INT_MIN, INT_MAX]
from the beginning of the output buffer are overwritten in an infinite loop. This is because the expression ++i
will wrap around to zero before the condition i < n
ever evaluates to false.
Note that in a preemptive multithreaded program, only one thread is in the infinite loop, so it is still significant that out-of-bounds memory is changed.
Compliant Solution
Declaring i
to be of type rsize_t
eliminates the possible integer overflow condition (in this example). Also, the argument n
is changed to be of type rsize_t
to document additional validation in the form of a check against RSIZE_MAX
.
char *copy(rsize_t n, const char *str) { rsize_t i; char *p; if (n > RSIZE_MAX) { /* Handle unreasonable object size error */ } p = (char *)malloc(n); if (p == NULL) { /* Handle malloc failure */ } for ( i = 0; i < n; ++i ) { p[i] = *str++; } return p; } char *p = copy(9, "hi there");
Risk Assessment
The improper calculation or manipulation of an object's size can result in exploitable vulnerabilities.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
INT01-A |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 7.17, "Common definitions <stddef.h>"
[[ISO/IEC 9899-1999]] Section 7.20.3, "Memory management functions"
[[ISO/IEC TR 24731-1-2007]]
INT00-A. Understand the data model used by your implementation(s) 04. Integers (INT) INT02-A. Understand integer conversion rules