An object that is accessed through a restrict-qualified pointer has a special association with that pointer. This association requires that all accesses to that object use, directly or indirectly, the value of that particular pointer. The intended use of the restrict qualifier is to promote optimization, and deleting all instances of the qualifier from a program does not change its meaning (that is, observable behavior). In the absence of this qualifier, other pointers can alias this object. Caching the value in an object designated through a restrict
-qualified pointer is safe at the beginning of the block in which the pointer is declared, because no pre-existing aliases may also be used to reference that object. The cached value must be restored to the object by the end of the block, where pre-existing aliases again become available. New aliases may be formed within the block, but these must all depend on the value of the restrict-qualified pointer, so that they can be identified and adjusted to refer to the cached value. For a restrict
-qualified pointer at file scope, the block is the body of each function in the file [Walls 2006]. Developers should be aware that C++ does not support the restrict
qualifier, however, some C++ compiler vendors support an equivalent qualifier.
Annex J of the C Standard [ISO/IEC 9899:2011] identifies the following undefined behavior 68:
A restrict-qualified pointer is assigned a value based on another restricted pointer whose associated block neither began execution before the block associated with this pointer, nor ended before the assignment (6.7.3.1).
This is an oversimplification however, and it is important to review the formal definition of restrict in subclause 6.7.3.1 of the C Standard to properly understand undefined behaviors associated with the use of restrict-qualified pointer .
Overlapping Objects
The restrict
qualifier requires that the pointers do not reference overlapping objects. If the objects referenced by arguments to functions overlap (meaning the objects share some common memory addresses), the behavior is undefined.
Noncompliant Code Example
In this noncompliant code example, assignments between restricted pointers in the same scope is disallowed.
int * restrict a; int * restrict b; extern int c[]; int main(void) { c[0] = 17; c[1] = 18; a = &c[0]; b = &c[1]; a = b; /* Undefined behavior */ /* ... */ }
Compliant Solution
One way to eliminate the undefined behavior is simply to remove the restrict-
qualification from the affected pointers.
int * a; int * b; extern int c[]; int main(void) { c[0] = 17; c[1] = 18; a = &c[0]; b = &c[1]; a = b; /* Valid defined behavior */ /* ... */ }
restrict
-qualified pointers Function Parameters
When calling functions that have restrict
qualified function parameters, it is important that pointers do not reference overlapping objects if one or more of the objects modify memory. Thus it is important to understand the semantics of the function being called.
Noncompliant Code Example
In this noncompliant code example, the function f()
accepts three parameters. The function copies n
integers from the int
array referenced by the restrict
-qualified pointer p
to the int
array referenced by the restrict
-qualified pointer q
. Because the object is modified during each execution of the function (for which n
is nonzero), if an object is accessed through one of the pointer parameters it cannot also be accessed through the other. Declaring these function parameters as restrict
-qualified pointers allows aggressive optimization by the compiler but can also result in undefined behavior if these pointers refer to overlapping objects.
#include <stddef.h> void f(size_t n, int * restrict p, int * restrict q) { while (n-- > 0) { *p++ = *q++; } } void g(void) { extern int d[100]; /* ... */ f(50, d + 1, d); /* Undefined behavior */ }
The function g()
declares an array d
consisting of 100 int
values and then invokes f()
to copy memory from one area of the array to another. This call has undefined behavior because each of d[1]
through d[49]
is accessed through both p
and q
.
Compliant Solution
In this compliant solution, the function f()
is unchanged but the programmer has ensured that none of the calls to f()
result in undefined behavior. The call of f()
in g()
is valid because the storage is allocated to d
is effectively divided into two disjoint objects.
#include <stdlib.h> void f(size_t n, int * restrict p, int * restrict q) { while (n-- > 0) { *p++ = *q++; } } void g(void) { extern int d[100]; /* ... */ f(50, d + 50, d); /* Valid defined behavior */ }
Noncompliant Code Example
In this noncompliant code example, the function add()
adds the integer array referenced by the restrict
-qualified pointers lhs to the integer array referenced by the restrict
-qualified pointer rhs
and stores the result in the restrict
-qualified pointer referenced by res
. The call add(100, a, a, a)
has undefined behavior because the object modified by res
is accessed by lhs and rhs
.
#include <stddef.h> void add(size_t n, int * restrict res, int * restrict lhs, int * restrict rhs) { for (size_t i = 0; i < n; ++i) { res[i] = lhs[i] + rhs[i]; } } void f(void) { int a[100]; add(100, a, a, a); /* Undefined behavior */ }
The function f()
declares an array a
consisting of 100 int
values and then invokes add()
to copy memory from one area of the array to another. This call has undefined behavior because each of a[1]
through a[49]
is accessed through both lhs and rhs
.
Compliant Solution
In this compliant solution, an unmodified object is aliased through two restricted pointers. Because a
and b
are disjoint arrays, a call of the form add(100, a, b, b)
has defined behavior, because array b
is not modified within function add
.
#include <stddef.h> void add(size_t n, int * restrict res, int * restrict lhs, int * restrict rhs) { for (size_t i = 0; i < n; ++i) { res[i] = lhs[i] + rhs[i]; } } void f(void) { int a[100]; int b[100]; add(100, a, b, b); /* Valid defined behavior */ }
Invoking Library Functions with restrict-qualified Pointers
Ensure that restrict
-qualified source and destination pointers do not reference overlapping objects when invoking library functions. The standard library functions shown below are examples of ones that copy memory from a source object referenced by a restrict
-qualified pointer to a destination object that is also referenced by a restrict
-qualified pointer:
Standard C | Annex K |
---|---|
strcpy() | strcpy_s() |
strncpy() | strncpy_s() |
strcat() | strcat_s() |
strncat() | strncat_s() |
memcpy() | memcpy_s() |
strtok() | strtok_s() |
If the objects referenced by arguments to functions overlap (meaning the objects share some common memory addresses), the behavior is undefined. See also undefined behavior 68 in Appendix J of the C Standard. The result of the functions is unknown and data may be corrupted. As a result, these functions must never be passed pointers to overlapping objects. If data must be copied between objects that share common memory addresses, a copy function guaranteed to work on overlapping memory, such as memmove()
, should be used.
Noncompliant Code Example
In this noncompliant code example, the values of objects referenced by ptr1
and ptr2
become unpredictable after the call to memcpy()
because their memory areas overlap:
#include <string.h> void func(void) { char c_str[]= "test string"; char *ptr1 = c_str; char *ptr2; ptr2 = ptr1 + 3; /* Undefined behavior due to overlapping objects */ memcpy(ptr2, ptr1, 6); /* ... */ }
Compliant Solution
In this compliant solution, the call to memcpy()
is replaced with a call to memmove()
. The memmove()
function performs the same operation as memcpy()
when the memory regions do not overlap. When the memory regions do overlap, the n characters from the object pointed to by the source (ptr1
) are first copied into a temporary array of n characters that does not overlap the objects pointed to by the destination (ptr2
) or the source. The n characters from the temporary array are then copied into the object pointed to by the destination.
#include <string.h> void func(void) { char c_str[]= "test string"; char *ptr1 = c_str; char *ptr2; ptr2 = ptr1 + 3; memmove(ptr2, ptr1, 6); /* Replace call to memcpy() */ /* ... */ }
Similar solutions using memmove()
can replace the string functions as long as care is taken regarding the byte size of the characters and proper null-termination of the copied string.
Calling Functions with restrict
-qualified Pointer to a const
-qualified Type
Ensure that functions that accept a restrict
-qualified pointer to a const
-qualified type do not modify the object referenced by that pointer. Formatted input and output standard library functions frequently fit this description. The following is a list of some of the common functions where the format argument is a restrict
-qualified pointer to a const
-qualified type:
Standard C | Annex K |
---|---|
printf() | printf_s() |
scanf() | scanf_s() |
sprintf() | sprintf_s() |
snprintf() | snprintf_s() |
For formatted output functions such as printf()
, it is unlikely that a programmer would modify the format string. However, an attacker may attempt this if a program violates FIO30-C. Exclude user input from format strings and passes tainted values as part of the format string.
Noncompliant Code Example
In this noncompliant code example, the programmer is attempting to overwrite the format string with a string value read in from stdin
such as "%d%f 1 3.3"
, and use the resulting modified string of "%s%d%f"
to input the subsequent values of 1
and 3.3
:
#include <stdio.h> void func() { int i; float x char format[100] = "%s"; /* Undefined behavior */ int n = scanf(format, format + 2, &i, &x); /* ... */ }
Compliant Solution
The same results can be achieved as shown in this compliant solution.
#include <stdio.h> void func(void) { int i; float x int n = scanf("%d%f", &i, &x); /* Valid defined behavior */ /* ... */ }
Outer to-inner assignments between restricted pointers
The assignment between restricted pointers declared in a inner nested a block from a outer block has well defined behavior.
Noncompliant Code Example
The assignment of restrict
-qualified pointers to other restrict
-qualified pointers within the same block has undefined behavior.
void func(void) { int * restrict p1; int * restrict q1; int * restrict p2 = p1; /* Undefined behavior */ int * restrict q2 = q1; /* Undefined behavior */ }
Compliant Solution
The same results can be achieved using a inner nested block as shown in this compliant solution.
void func(void) { int * restrict p1; int * restrict q1; { /* Added inner block */ int * restrict p2 = p1; /* Valid defined behavior */ int * restrict q2 = q1; /* Valid defined behavior */ } }
Risk Assessment
The incorrect use of restrict
-qualified pointers can result in undefined behavior that might be exploited to cause data integrity violations.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP43-C | Medium | Probable | High | P4 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
9.7.1 | 480 S 489 S | Partially implemented |
Related Guidelines
CERT C Secure Coding Standard | FIO30-C. Exclude user input from format strings |
ISO/IEC TR 24772:2013 | Passing Parameters and Return Values [CSJ] |
ISO/IEC TS 17961 | Passing pointers into the same object as arguments to different restrict-qualified parameters [restrict] |
Bibliography
[ISO/IEC 9899:2011] | Subclause 6.7.3.1, "Formal Definition of restrict " |
[Walls 2006] |