SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 40 Next »

All integer values originating from untrusted sources should be evaluated to determine if there are identifiable upper and lower bounds. If so, these limits should be enforced by the interface. Restricting the input of excessively large or small integers helps prevent overflow, truncation, and other type range errors. Furthermore, it is easier to find and correct input problems than it is to trace internal errors back to faulty inputs.

Non-Compliant Code Example

In the following non-compliant code example, length is a user supplied argument that is used to determine the length of table.

int create_table(size_t length) {
  char **table;

  if (sizeof(char *) > SIZE_MAX/length) {
    /* handle overflow */
  }

  size_t table_length = length * sizeof(char *);
  table = (char **)malloc(table_length)
  if (table == NULL) {
    /* Handle error condition */
  }
  /* ... */
  return 0;
}

Because length is user-controlled, the value could result in a large block of memory being allocated or cause the call to malloc() to fail. Depending on how error handling is implemented, this may result in a denial of service or other error. A length of zero results in a division by zero in the overflow check, which can also result in a denial of service.

Compliant Solution

This compliant solution defines the acceptable range for length as [1, MAX_TABLE_LENGTH]. The length parameter is declared as size_t, which is unsigned by definition. Consequently, it is not necessary to check length for negative values (see [[INT01-A. Use rsize_t or size_t for all integer values representing the size of an object]]).

enum { MAX_TABLE_LENGTH = 256 };

int create_table(size_t length) {
  size_t table_length;
  char **table;

  if (length == 0 || length > MAX_TABLE_LENGTH) {
    /* Handle invalid length */
  }

  /*
   * The wrap check has been omitted based on the assumption that
   * MAX_TABLE_LENGTH * sizeof(char *) cannot exceed SIZE_MAX
   * If this assumption is not valid, a check must be added
   */
  assert(length <= SIZE_MAX/sizeof(char *));

  table_length = length * sizeof(char *);

  table = (char **)malloc(table_length);
  if (table == NULL) {
    /* Handle error condition */
  }
  /* ... */
  return 0;
}

The test for length == 0 ensures that a non-zero number of bytes is allocated (see MEM04-A. Do not perform zero length allocations).

Risk Assessment

Failing to enforce the limits on integer values can result in a denial of service condition.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT04-A

low

probable

high

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Seacord 05]] Chapter 5, "Integer Security"

INT03-A. Use a secure integer library      04. Integers (INT)       INT05-A. Do not use input functions to convert character data if they cannot handle all possible inputs

  • No labels