You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 56 Next »

Integer values used in any of the following ways must be guaranteed correct:

  • as an array index
  • in any pointer arithmetic
  • as a length or size of an object
  • as the bound of an array (for example, a loop counter)
  • in security critical code

Integer conversions, including implicit and explicit (using a cast), must be guaranteed not to result in lost or misinterpreted data. The only integer type conversions that are guaranteed to be safe for all data values and all possible conforming implementations are conversions of an integral value to a wider type of the same signedness. C99 Section 6.3.1.3 says

When a value with integer type is converted to another integer type other than _Bool, if the value can be represented by the new type, it is unchanged.

Otherwise, if the new type is unsigned, the value is converted by repeatedly adding or subtracting one more than the maximum value that can be represented in the new type until the value is in the range of the new type.

Otherwise, the new type is signed and the value cannot be represented in it; either the result is implementation-defined or an implementation-defined signal is raised.

Typically, converting an integer to a smaller type results in truncation of the high-order bits.

Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.

Exceptions

C99 defines minimum ranges for standard integer types. For example, the minimum range for an object of type unsigned short int is 0 to 65,535, while the minimum range for int is -32,767 to +32,767. This means that it is not always possible to represent all possible values of an unsigned short int as an int. However, on the IA-32 architecture, for example, the actual integer range is from -2,147,483,648 to +2,147,483,647, meaning that is quite possible to represent all the values of an unsigned short int as an int on this platform. As a result, it is not necessary to provide a test for this conversion on IA-32. It is not possible to make assumptions about conversions without knowing the precision of the underlying types. If these tests are not provided, assumptions concerning precision must be clearly documented, as the resulting code cannot be safely ported to a system where these assumptions are invalid.

Risk Assessment

Integer truncation errors can lead to buffer overflows and the execution of arbitrary code by an attacker.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

INT31-C

3 (high)

2 (probable)

1 (high)

P6

L2

Automated Detection

Fortify SCA Version 5.0 with CERT C Rule Pack is able to detect violations of this rule.

The tool Compass Rose is able to detect violations of this rule, but may throw false warnings when limits.h is included. 

The Coverity Prevent NEGATIVE_RETURNS and REVERSE_NEGATIVE checkers both can find violations of this rule. The NEGATIVE_RETURNS checker can find array accesses, loop bounds, and other expressions that may contain dangerous implied integer conversions that would result in unexpected behavior. The REVERSE_NEGATIVE checker can find instances where a negativity check occurs after the negative value has been used for something else. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Dowd 06]] Chapter 6, "C Language Issues" (Type Conversions, pp. 223-270)
[[ISO/IEC 9899-1999]] 6.3, "Conversions"
[[MISRA 04]] Rules 10.1, 10.3, 10.5, and 12.9
[[MITRE 07]] CWE ID 192, "Integer Coercion Error", CWE ID 197, "Numeric Truncation Error"
[[Seacord 05]] Chapter 5, "Integers"
[[Viega 05]] Section 5.2.9, "Truncation error," Section 5.2.10, "Sign extension error," Section 5.2.11, "Signed to unsigned conversion error," and Section 5.2.12, "Unsigned to signed conversion error"
[[Warren 02]] Chapter 2, "Basics"


INT30-C. Do not perform certain operations on questionably signed results      04. Integers (INT)       INT32-C. Ensure that integer operations do not result in an overflow

  • No labels