SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 92 Next »

An object has a storage duration that determines its lifetime. There are three storage durations: static, automatic, and allocated.

According to C99 [[ISO/IEC 9899:1999]]:

The lifetime of an object is the portion of program execution during which storage is guaranteed to be reserved for it. An object exists, has a constant address, and retains its last-stored value throughout its lifetime. If an object is referred to outside of its lifetime, the behavior is undefined. The value of a pointer becomes indeterminate when the object it points to reaches the end of its lifetime.

Attempting to access an object outside of its lifetime can result in an exploitable vulnerability.

Noncompliant Code Example (Static Variables)

This noncompliant code example declares the variable p as a pointer to a constant char with file scope. The value of str is assigned to p within the dont_do_this() function. However, str has automatic storage duration, so the lifetime of str ends when the dont_do_this() function exits.

const char *p;
void dont_do_this(void) {
    const char str[] = "This will change";
    p = str; /* dangerous */
    /* ... */
}

void innocuous(void) {
    const char str[] = "Surprise, surprise";
}
/* ... */
dont_do_this();
innocuous();
/* p might be pointing to "Surprise, surprise" */

As a result of this undefined behavior, it is likely that p will refer to the string literal "Surprise, surprise" after the call to the innocuous() function.

Compliant Solution (p with Block Scope)

In this compliant solution, p is declared with the same scope as str, preventing p from taking on an indeterminate value outside of this_is_OK().

void this_is_OK(void) {
    const char str[] = "Everything OK";
    const char *p = str;
    /* ... */
}
/* p is inaccessible outside the scope of string str */

Compliant Solution (p with File Scope)

If it is necessary for p to be defined with file scope, it can be set to NULL before str is destroyed. This prevents p from taking on an indeterminate value, although any references to p must check for NULL.

const char *p;
void is_this_OK(void) {
    const char str[] = "Everything OK?";
    p = str;
    /* ... */
    p = NULL;
}

Noncompliant Code Example (Return Values)

In this example, the function init_array() incorrectly returns a pointer to a local stack variable.

char *init_array(void) {
   char array[10];
   /* Initialize array */
   return array;
}

Some compilers generate a warning when a pointer to an automatic variable is returned from a function, as in this example. Compile your code at high warning levels and resolve any warnings (see MSC00-C. Compile cleanly at high warning levels).

Compliant Solution (Return Values)

The solution, in this case, depends on the intent of the programmer. If the intent is to modify the value of array and have that modification persist outside of the scope of init_array(), the desired behavior can be achieved by declaring array elsewhere and passing it as an argument to init_array().

void init_array(char array[]) {
   /* Initialize array */
   return;
}

int main(int argc, char *argv[]) {
   char array[10];
   init_array(array);
   /* ... */
   return 0;
}

Risk Assessment

Referencing an object outside of its lifetime can result in an attacker being able to run arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL30-C

high

probable

high

P6

L2

Automated Detection

Tool

Compliance

Description

ROSE

partial

Compass/ROSE can detect violations of this rule. It automatically detects returning pointers to local variables. Detecting more general cases, such as examples where static pointers are set to local variables which then go out of scope would be difficult.

LDRA tool suite V. 7.6.0

yes

 

Fortify SCA V. 5.0

yes

Can detect violations when an array is declared in a function and then a pointer to that array is returned.

Coverity Prevent

yes

The RETURN_LOCAL checker finds many instances where a function will return a pointer to a local stack variable.

Splint V. 3.1.1

yes

 

Klocwork V. 8.0.4.16

yes

Can detect violations of this rule with the LOCRET checker.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Cross References

Standard

Document

CERT C++

DCL30-CPP. Declare objects with appropriate storage durations

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e154e5a8-04f5-4b64-b77e-5dc7f3e586e7"><ac:plain-text-body><![CDATA[

[[ISO/IEC PDTR 24772

AA. C References#ISO/IEC PDTR 24772]]

"DCM Dangling references to stack frames"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="33ebcf2b-92df-4b97-9ec1-8ed9a09c0945"><ac:plain-text-body><![CDATA[

[[MISRA 04

AA. C References#MISRA 04]]

Rule 8.6

]]></ac:plain-text-body></ac:structured-macro>

Bibliography

[[Coverity 07]]
[[ISO/IEC 9899:1999]] Section 6.2.4, "Storage durations of objects," and Section 7.20.3, "Memory management functions"

DCL16-C. Use 'L', not 'l', to indicate a long value      02. Declarations and Initialization (DCL)      

  • No labels