All integer values originating from untrusted sources should be evaluated to determine if there are identifiable upper and lower bounds. If so, these limits should be enforced by the interface. Restricting the input of excessively large or small integers helps prevent overflow, truncation, and other type range errors. Furthermore, it is easier to find and correct input problems than it is to trace internal errors back to faulty inputs.
Noncompliant Code Example
In this noncompliant code example, length
is a user-supplied argument that is used to determine the length of table
.
int create_table(size_t length) { char **table; if (length > SIZE_MAX/sizeof(char *)) { /* handle overflow */ return -1; } size_t table_length = length * sizeof(char *); table = (char **)malloc(table_length); if (table == NULL) { /* Handle error condition */ return -1; } /* ... */ return 0; }
Because length
is user controlled, the value can result in a large block of memory being allocated or can cause the call to malloc()
to fail. Depending on how error handling is implemented, this may result in a denial of service or other error. A length
of zero results in a division by zero in the overflow check, which can also result in a denial of service. (See guideline INT33-C. Ensure that division and modulo operations do not result in divide-by-zero errors.)
Compliant Solution
This compliant solution defines the acceptable range for length
as [1, MAX_TABLE_LENGTH]
. The length
parameter is declared as size_t
, which is unsigned by definition. Consequently, it is not necessary to check length
for negative values. (See guideline INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.)
enum { MAX_TABLE_LENGTH = 256 }; int create_table(size_t length) { size_t table_length; char **table; if (length == 0 || length > MAX_TABLE_LENGTH) { /* Handle invalid length */ return -1; } /* * The wrap check has been omitted based on the assumption * that MAX_TABLE_LENGTH * sizeof(char *) cannot exceed * SIZE_MAX. If this assumption is not valid, a check must * be added. */ assert(length <= SIZE_MAX/sizeof(char *)); table_length = length * sizeof(char *); table = (char **)malloc(table_length); if (table == NULL) { /* Handle error condition */ return -1; } /* ... */ return 0; }
The test for length == 0
ensures that a nonzero number of bytes is allocated. (See guideline MEM04-C. Do not perform zero length allocations.)
Risk Assessment
Failing to enforce the limits on integer values can result in a denial-of-service attack.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
INT04-C |
low |
probable |
high |
P2 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
C++ Secure Coding Standard: INT04-CPP. Enforce limits on integer values originating from untrusted sources
Bibliography
[Seacord 2005a] Chapter 5, "Integer Security"