You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 100 Next »

Variable length arrays (VLA) are essentially the same as traditional C arrays except that they are declared with a size that is not a constant integer expression and can be declared only at block scope or function prototype scope and no linkage. A variable length array can be declared

{   /* block scope */
    char vla[size];
}

where the integer expression size and the declaration of vla are both evaluated at runtime. If the size argument supplied to a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 75 in Annex J of C11 [ISO/IEC 9899:2011].) In addition, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable length arrays, especially those derived from untrusted data, are in a valid range.

Noncompliant Code Example

In this noncompliant code example, a variable length array of size size is declared. The size is declared as size_t in compliance with INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.

void func(size_t size) {
  int vla[size];
  /* ... */
}
/* ... */

However, it is not guaranteed that the value of size is a valid size argument, potentially giving rise to a security vulnerability.

Compliant Code Solution

This compliant solution ensures the size argument used to allocate vla is in a valid range (between 1 and a programmer-defined maximum); otherwise, it uses an algorithm that relies on dynamic memory allocation.

enum { MAX_ARRAY = 1024 };

void func(size_t size) {
  if (0 < size && size < MAX_ARRAY) {
    int vla[size];
    /* ... */
  } else {
    /* Use dynamic allocation */
  }
}
/* ... */

Implementation Details

Microsoft

Variable length arrays are not supported by Microsoft compilers.

GCC

Variable length arrays should be used on GCC with great care. Newer versions of GCC have incorporated variable length arrays but do not yet claim full C conformance. GCC has limited incomplete support for parts of this standard, enabled with -std=c11 or -std=iso9899:2011.

On an example Debian GNU/Linux Intel 32-bit test machine with GCC v. 4.2.2, the value of a variable length array's size is interpreted as a 32-bit signed integer. Passing in a negative number for the size will likely cause the program stack to become corrupted, and passing in a large positive number may cause a terminal stack overflow. It is important to note that this information may become outdated as GCC evolves.

Risk Assessment

Failure to properly specify the size of a variable length array may allow arbitrary code execution or result in stack exhaustion.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR32-C

high

probable

high

P6

L2

Automated Detection

Tool

Version

Checker

Description

Coverity Prevent

2017.07

REVERSE_NEGATIVE NEGATIVE_RETURNS

Can find the instances where data is read/write from a negative array index.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

ISO/IEC TR 17961 (Draft) Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink]

ISO/IEC TR 24772 "XYX Boundary Beginning Violation" and "XYZ Unchecked Array Indexing"

Bibliography

[Griffiths 2006]


  • No labels