SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 132 Next »

Integer conversions, both implicit and explicit (using a cast), must be guaranteed not to result in lost or misinterpreted data. This is particularly true for integer values that originate from untrusted sources and are used in any of the following ways:

  • As an array index
  • In any pointer arithmetic
  • As a length or size of an object
  • As the bound of an array (for example, a loop counter)
  • As an argument to a memory allocation function
  • In security-critical code

The only integer type conversions that are guaranteed to be safe for all data values and all possible conforming implementations are conversions of an integral value to a wider type of the same signedness. Subclause 6.3.1.3 of the C Standard [ISO/IEC 9899:2011] says,

When a value with integer type is converted to another integer type other than _Bool, if the value can be represented by the new type, it is unchanged.

Otherwise, if the new type is unsigned, the value is converted by repeatedly adding or subtracting one more than the maximum value that can be represented in the new type until the value is in the range of the new type.

Otherwise, the new type is signed and the value cannot be represented in it; either the result is implementation-defined or an implementation-defined signal is raised.

Typically, converting an integer to a smaller type results in truncation of the high-order bits.

Noncompliant Code Example (Unsigned to Signed)

Type range errors, including loss of data (truncation) and loss of sign (sign errors), can occur when converting from an unsigned type to a signed type. The following noncompliant code example results in a truncation error on most implementations:

#include <limits.h>
 
void func(void) {
  unsigned long int u_a = ULONG_MAX;
  signed char sc;
  sc = (signed char)u_a; /* Cast eliminates warning */
  /* ... */
}

Compliant Solution (Unsigned to Signed)

Validate ranges when converting from an unsigned type to a signed type. The following code, for example, can be used when converting from unsigned long int to a signed char:

#include <limits.h>
 
void func(void) {
  unsigned long int u_a = ULONG_MAX;
  signed char sc;
  if (u_a <= SCHAR_MAX) {
    sc = (signed char)u_a;  /* Use cast to eliminate warning */
  } else {
    /* Handle error condition */
  }
}

Noncompliant Code Example (Signed to Unsigned)

Type range errors, including loss of data (truncation) and loss of sign (sign errors), can occur when converting from a signed type to an unsigned type. The following code results in a loss of sign:

#include <limits.h>

void func(void) {
  signed int si = INT_MIN;
  unsigned int ui = (unsigned int)si;  /* Cast eliminates warning */

  /* ... */
}

Compliant Solution (Signed to Unsigned)

Validate ranges when converting from a signed type to an unsigned type. The following code, for example, can be used when converting from signed int to unsigned int:

#include <limits.h>

void func(void) {
  signed int si = INT_MIN;
  unsigned int ui;
  if (si < 0) {
    /* Handle error condition */
  } else {
    ui = (unsigned int)si;  /* Cast eliminates warning */
  }
  /* ... */
}

NOTE: Although unsigned types can usually represent all positive values of the corresponding signed type, this relationship is not guaranteed by the C Standard.

Noncompliant Code Example (Signed, Loss of Precision)

A loss of data (truncation) can occur when converting from a signed type to a signed type with less precision. The following code can result in truncation:

#include <limits.h>

void func(void) {
  signed long int s_a = LONG_MAX;
  signed char sc = (signed char)s_a; /* Cast eliminates warning */
  /* ... */
}

Compliant Solution (Signed, Loss of Precision)

Validate ranges when converting from a signed type to a signed type with less precision. The following code can be used, for example, to convert from a signed long int to a signed char:

#include <limits.h>

void func(void) {
  signed long int s_a = LONG_MAX;
  signed char sc;
  if ((s_a < SCHAR_MIN) || (s_a > SCHAR_MAX)) {
    /* Handle error condition */
  } else {
    sc = (signed char)s_a; /* Use cast to eliminate warning */
  }
  /* ... */
}

Conversions from signed types with greater precision to signed types with lesser precision require both the upper and lower bounds to be checked.

Noncompliant Code Example (Unsigned, Loss of Precision)

A loss of data (truncation) can occur when converting from an unsigned type to an unsigned type with less precision. The following code results in a truncation error on most implementations:

#include <limits.h>

void func(void) {
  unsigned long int u_a = ULONG_MAX;
  unsigned char uc = (unsigned char)u_a;  /* Cast eliminates warning */
  /* ... */
}

Compliant Solution (Unsigned, Loss of Precision)

Validate ranges when converting from an unsigned type to an unsigned type with lesser precision. The following code can be used, for example, to convert from an unsigned long int to an unsigned char:

#include <limits.h>

void func(void) {
  unsigned long int u_a = ULONG_MAX;
  unsigned char uc;
  if (u_a > UCHAR_MAX) ) {
    /* Handle error condition */
  } else {
    uc = (unsigned char)u_a; /* Use cast to eliminate warning */
  }
  /* ... */
}

Conversions from unsigned types with greater precision to unsigned types with lesser precision require only the upper bounds to be checked.

Exceptions

INT31-EX1: The C Standard defines minimum ranges for standard integer types. For example, the minimum range for an object of type unsigned short int is 0 to 65,535, whereas the minimum range for int is −32,767 to +32,767. Consequently, it is not always possible to represent all possible values of an unsigned short int as an int. However, on the IA-32 architecture, for example, the actual integer range is from −2,147,483,648 to +2,147,483,647, meaning that it is quite possible to represent all the values of an unsigned short int as an int for this architecture. As a result, it is not necessary to provide a test for this conversion on IA-32. It is not possible to make assumptions about conversions without knowing the precision of the underlying types. If these tests are not provided, assumptions concerning precision must be clearly documented, as the resulting code cannot be safely ported to a system where these assumptions are invalid. A good way to document these assumptions is to use static assertions. (See DCL03-C. Use a static assertion to test the value of a constant expression.)

Risk Assessment

Integer truncation errors can lead to buffer overflows and the execution of arbitrary code by an attacker.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

INT31-C

High

Probable

High

P6

L2

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

  

Can detect violations of this rule. However, false warnings may be raised if limits.h is included

Coverity*

2017.07

NEGATIVE_RETURNS


REVERSE_NEGATIVE


MISRA_CAST

Can find array accesses, loop bounds, and other expressions that may contain dangerous implied integer conversions that would result in unexpected behavior

Can find instances where a negativity check occurs after the negative value has been used for something else

Can find instances where an integer expression is implicitly converted to a narrower integer type, where the signedness of an integer value is implicitly converted, or where the type of a complex expression is implicitly converted

Fortify SCA

5.0

 

Can detect violations of this rule with CERT C Rule Pack

Klocwork

2024.3

PRECISION.LOSS

 

LDRA tool suite

9.7.1

93 S
433 S
434 S

Fully implemented
PRQA QA-C
Unable to render {include} The included page could not be found.

2850 (C)
2851 (D)
2852 (A)
2853 (S)
2900 (C)
2901 (D)
2902 (A)
2903 (S)
2905 (C)
2906 (D)
2907 (A)
2908 (S)
3758
3759
3760
3769
3770
3780
3781
3782
3783

Partially implemented

* Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Related Vulnerabilities

CVE-2009-1376 results from a violation of this rule. In version 2.5.5 of Pidgin, an unsigned integer (offset) is set to the value of a 64-bit unsigned integer, which can lead to truncation [xorl 2009]. An attacker can execute arbitrary code by carefully choosing this value and causing a buffer overflow.

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C Secure Coding StandardDCL03-C. Use a static assertion to test the value of a constant expression 
CERT C++ Secure Coding StandardINT31-CPP. Ensure that integer conversions do not result in lost or misinterpreted data
CERT Oracle Secure Coding Standard for JavaNUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data
ISO/IEC TR 24772:2013Numeric Conversion Errors [FLC]
MISRA C:2012

Rule 10.1 (required)
Rule 10.3 (required)
Rule 10.4 (required)
Rule 10.6 (required)
Rule 10.7 (required)

MITRE CWECWE-192, Integer coercion error
CWE-197, Numeric truncation error
CWE-681, Incorrect conversion between numeric types

Bibliography

[Dowd 2006]Chapter 6, "C Language Issues" ("Type Conversions," pp. 223–270)
[ISO/IEC 9899:2011]Subclause 6.3.1.3, "Signed and Unsigned Integers"
[Seacord 2013]Chapter 5, "Integer Security"
[Viega 2005]Section 5.2.9, "Truncation Error"
Section 5.2.10, "Sign Extension Error"
Section 5.2.11, "Signed to Unsigned Conversion Error"
Section 5.2.12, "Unsigned to Signed Conversion Error"
[Warren 2002]Chapter 2, "Basics"
[xorl 2009]"CVE-2009-1376: Pidgin MSN SLP Integer Truncation"

 

  • No labels