You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 77 Next »

Variable-length arrays are essentially the same as traditional C arrays, the major difference being that they are declared with a size that is not a constant integer expression. A variable-length array can be declared as follows:

char vla[s];

where the integer s and the declaration are both evaluated at runtime. If a size argument supplied to a variable-length array is not a positive integer value of reasonable size, then the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [[Griffiths 06]]. The programmer must ensure that size arguments to variable-length arrays are valid and have not been corrupted as the result of an exceptional integer condition.

Noncompliant Code Example

In this noncompliant code example, a variable-length array of size s is declared. The size s is declared as size_t in compliance with INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.

void func(size_t s) {
  int vla[s];
  /* ... */
}
/* ... */
func(size);
/* ... */

However, it is unclear whether the value of s is a valid size argument. Depending on how variable-length arrays are implemented, the size may be interpreted as a negative value or a very positive value. The either case, a security vulnerability may occur.

For example, for GCC 4.2.2 on the Debian GNU/Linux Intel 32-bit platform, the value of a variable length array's size is interpreted as a 32-bit signed integer. Passing in a negative number for the size will likely cause the program stack to become corrupted, and passing in a large positive number may cause a terminal stack overflow. It is important to note that this information may become outdated as GCC evolves.

Compliant Code Solution

This compliant solution ensures the size argument s used to allocate vla is in a valid range (between 1 and a programmer-defined maximum).

enum { MAX_ARRAY = 1024 };

void func(size_t s) {
  if (s < MAX_ARRAY && s != 0) {
    int vla[s];
    /* ... */
  } else {
    /* Handle Error */
  }
}

/* ... */
func(size);
/* ... */

Implementation Details

Microsoft

Variable length arrays are not supported by Microsoft compilers.

GCC

Newer versions of GCC have incorporated variable length arrays, but do not yet claim full C99 conformance. As such, variable length arrays should only be used on GCC with great care.

On an example Debian GNU/Linux Intel 32-bit test machine with GCC v. 4.2.2, the value of a variable length array's size is interpreted as a 32-bit signed integer. Passing in a negative number for the size will likely cause the program stack to become corrupted, and passing in a large positive number may cause a terminal stack overflow. It is important to note that this information may become outdated as GCC evolves.

Risk Assessment

Failure to properly specify the size of a variable length array may allow arbitrary code execution or result in stack exhaustion.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR32-C

high

probable

high

P6

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Griffiths 06]]
[[ISO/IEC PDTR 24772]] "XYX Boundary Beginning Violation" and "XYZ Unchecked Array Indexing"


ARR31-C. Use consistent array notation across all source files      06. Arrays (ARR)       ARR33-C. Guarantee that copies are made into storage of sufficient size

  • No labels