C library functions that make changes to arrays or objects usually take at least two arguments: a pointer to the array or object and an integer indicating the number of elements or bytes to be manipulated. If the arguments are supplied improperly during such a function call, the function may cause the pointer to not point to the object at all or to point past the end of the object, leading to undefined behavior.
Definitions
The C Secure Coding Rules Draft Technical Specification [ISO/IEC TS 17961] defines the following terms:
Given an integer expression
E
, the derived typeT
ofE
is determined as follows:
- if
E
is asizeof
expression thenT
is the type of the operand of the expression,- otherwise, if
E
is an identifier, thenT
is the derived type of the expression last used to store a value inE
,- otherwise, if the derived type of each of
E
's subexpressions is the same, thenT
is that type,- otherwise, the derived type is an unspecified character type compatible with any of
char
,signed char
, andunsigned char
.EXAMPLE For the following declarations:
double a[40]; size_t n0 = sizeof (int); size_t n1 = 256; size_t n2 = sizeof a / sizeof (*a);The derived type of
n0
isint
, and the derived type ofn1
andn2
is a (hypothetical) unspecified character type that is compatible with any ofchar
,signed char
, andunsigned char
.
Consider the following code:
int val; int arr[ARR_SIZE]; size_t c1 = sizeof (val); size_t c2 = sizeof (arr) / sizeof (val); size_t c3 = sizeof (arr) / sizeof (*arr);
The derived type for c1
and c2
is int
, because both subexpressions have the same type. The derived type for c3
is an unspecified character type compatible with any of char
, signed char
, and unsigned char
.
Expresses either the size of an object with an effective type, or the number of bytes allocated for such an object.
For an object with an effective type
T
the effective size of the object is the result of thesizeof(T)
expression. For an object with no effective type (for example, an object for which space has just been allocated by a call tomalloc(N)
), the effective size is the number of bytes allocated for it (that is,N
).EXAMPLE 1 The effective size of
*p
refers to the effective size of the object or space referenced byp
minus the offset ofp
from the beginning of the space or object, respectively.EXAMPLE 2 For the following declarations
int a[5]; void *p = a + 2;the effective size of
*p
is equal tosizeof(a - 2) * sizeof(*a)
, or 12 whensizeof(int)
is 4.
The effective size of a pointer is the size of the object to which it points.
In the following code:
int arr[5]; int *p = arr;
the effective size of the pointer p
is sizeof(arr)
, that is, 5*sizeof(int)
.
The effective type of an object is defined as either its declared type or (if its type isn't declared) the effective type of the value assigned to it.
Consider the following code:
char *p; void *q; q = obj;
In this example, the effective type of p
is char
. The type of q
's type is not declared, but it is later assigned obj
. The effective type of q
is therefore equal to the effective type of obj
.
Standard Library Functions
Following is an incomplete list of C library functions to which this rule applies.
Library Functions That Take a Pointer and Integer
The following standard library functions take a pointer argument and a size argument, with the constraint that the pointer must point to a valid memory object of at least the number of bytes or wide characters (as appropriate) indicated by the size argument.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Library Functions That Take Two Pointers and an Integer
The following standard library functions take two pointer arguments and a size argument, with the constraint that both pointers must point to valid memory objects of at least the number of bytes or wide characters as appropriate, indicated by the size argument.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Library Functions That Take a Pointer and Two Integers
The following standard library functions take a pointer argument and two size arguments, with the constraint that the pointer must point to a valid memory object containing at least as many bytes as the product of the two size arguments.
|
|
|
|
Standard Memory Allocation Functions
The following are the standard memory allocation functions that take a size integer argument and return a pointer.
|
|
|
|
Other Library Functions
|
|
|
vswprintf() | swprintf() |
|
|
|
|
*Both functions take more than one size_t
argument. In such cases, the compliant code must be consistent with the purpose of these arguments. For example, in the case of fread()
:
size_t fread(void *ptr, size_t size, size_t count, FILE *stream)
the programmer must ensure that the object referenced by ptr
is at least (size * count
) bytes.
Description
To guarantee that a library function does not construct an out-of-bounds pointer, programmers must heed the following rules when using functions that operate on pointed-to regions. These rules assume that func
is a function, p
and q
are pointers, and n
is an integer.
- For calls of the form
func(p,n)
, the value ofn
should not be greater than the effective size of the pointer. In situations wheren
is an expression, the effective type of the pointer should be compatible with either the derived type ofn
or unsigned char. - For calls of the form
func(p,q,n)
, the value ofn
should not be greater than the effective size of any of the two pointers (p
andq
). The effective type ofp
should be compatible with the derived type ofn
orunsigned char
whenn
is an expression. Similarly, the effective type ofp
should be compatible with the effective type ofq
orunsigned char
. - For any expression E of the form
T* p = func(n)
, the value ofn
should not be less thansizeof(T)
. Also, the effective type ofT
should be compatible with either the derived type ofn
orunsigned char
.
Noncompliant Code Example
This noncompliant code example assigns a value greater than the size of available memory to n
, which is then passed to memset()
:
void f1(size_t nchars) { char *p = (char *)malloc(nchars); const size_t n = nchars + 1; memset(p, 0, n); /* ... */ }
Compliant Solution
This compliant solution ensures that the value of n
is not greater than the size of the dynamic memory pointed to by the pointer p
:
void f1(size_t nchars, size_t val) { char *p = (char *)malloc(nchars); const size_t n = val; if (nchars < n) { /* Handle Error */ } else { memset(p, 0, n); } /* ... */ }
Noncompliant Code Example
In this noncompliant code example, the effective type of *p
is float
, and the derived type of the expression n
is int
. This is calculated using the first rule from TS 17961's definition of derived types (see Section 4, "Definitions" [ISO/IEC TS 17961]). Because n
contains the result of a sizeof
expression, its derived type is equal to the type of the operand, which is int
.
void f2() { const size_t ARR_SIZE = 4; float a[ARR_SIZE]; const size_t n = sizeof(int) * ARR_SIZE; void *p = a; memset(p, 0, n); /* ... */ }
Note: Although it is noncompliant, this code has no ill effects on architectures where sizeof(int)
is equal to sizeof(float)
.
Compliant Solution
In this compliant solution, the derived type of n
is also float
:
void f2() { const size_t ARR_SIZE = 4; float a[ARR_SIZE]; const size_t n = sizeof(float) * ARR_SIZE; void *p = a; memset(p, 0, n); /* ... */ }
Noncompliant Code Example
In this noncompliant code example, the size of n
could be greater than the size of *p
. Also, the effective type of *p
(int
) is different from the effective type of *q
(float
).
void f3(int *a) { float b = 3.14; const size_t n = sizeof(b); void *p = a; void *q = &b; memcpy(p, q, n); /* ... */ }
Note: Although it is noncompliant, this code does not constitute a vulnerability on implementations where sizeof(int)
is equal to sizeof(float)
.
Compliant Solution
This compliant solution ensures that the value of n
is not greater than the minimum of the effective sizes of *p
and *q
and that the effective types of the two pointers are identical (float
):
void f3(float *a, size_t val) { float b = 3.14; const size_t n = val; void *p = a; void *q = &b; if( (n > sizeof(a)) || (n > sizeof(b)) ) { /* Handle error */ } else { memcpy(p, q, n); /* ... */ } }
Noncompliant Code Example
In this noncompliant code example, the value of n
is greater than the size of T
, that is, sizeof(wchar_t)
. But the derived type of expression n
(wchar_t *
) is not the same as the type of T
because its derived type will be equal to the type of p
, which is wchar_t*
. The derived type of n
is calculated using the first rule from TS 17961's definition of derived types (see Section 4, "Definitions" [ISO/IEC TS 17961]). Because n
here is a sizeof
expression, its derived type is equal to the type of the operand (p
), which is wchar_t *
.
wchar_t *f4() { const wchar_t *p = L"Hello, World!"; const size_t n = sizeof(p) * (wcslen(p) + 1); wchar_t *q = (wchar_t*) malloc(n); return q; }
Compliant Solution
This compliant solution ensures that the derived type of n
(wchar_t
) is the same as the type of T
(wchar_t
) and that the value of n
is not less than the size of T
:
wchar_t *f4() { const wchar_t *p = L"Hello, World!"; const size_t n = sizeof(wchar_t) * (wcslen(p) + 1); wchar_t *q = (wchar_t*) malloc(n); return q; }
Noncompliant Code Example
In this noncompliant example, a diagnostic is required because the value of n
is not computed correctly, allowing a possible write past the end of the object referenced by p
:
void f4(char p[], const char *q) { const size_t n = sizeof(p); if ((memcpy(p, q, n)) == p) { /* violation */ /* ... */ } /* ... */ }
Compliant Solution
This compliant solution ensures that n
is equal to the size of the character array:
void f4(char p[], const char *q, size_t size_p) { const size_t n = size_p; if ((memcpy(p, q, n)) == p) { /* ... */ } /* ... */ }
Risk Assessment
Depending on the library function called, the attacker may be able to use a heap overflow vulnerability to run arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ARR38-C | High | Likely | Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
PRQA QA-C | Unable to render {include} The included page could not be found. | 2931 | Fully implemented |
Related Guidelines
C Secure Coding Standard | API00-C. Functions should validate their parameters |
ISO/IEC TS 17961 (Draft) | Forming invalid pointers by library functions [libptr] |
Bibliography
[ISO/IEC TS 17961] | Programming Languages,Their Environments and System Software Interfaces |