All integer values originating from untrusted sources should be evaluated to determine whether there are identifiable upper and lower bounds. If so, these limits should be enforced by the interface. Restricting the input of excessively large or small integers helps prevent overflow, truncation, and other type range errors. Furthermore, it is easier to find and correct input problems than it is to trace internal errors back to faulty inputs.
Non-Compliant Code example
In the following non-compliant code example, size
is a user supplied argument that is used to determine the size of table
.
int create_table(size_t size) { char **table; if (sizeof(char *) > SIZE_MAX/size) { /* handle overflow */ } size_t table_size = size * sizeof(char *); table = (char **)malloc(table_size) if (table == NULL) { /* Handle error condition */ } /* ... */ return 0; }
Because size
is controlled by the user, it could be specified to be either large enough to consume large amounts of system resources and still succeed or large enough to cause the call to malloc()
to fail, which, depending on how error handling is implemented, may result in a denial of service condition. It may also be zero, causing a division by zero in the overflow check, also resulting in a denial of service.
Compliant Solution
This compliant solution defines the acceptable range for size
as [1, MAX_TABLE_SIZE]
. The size
parameter is declared as size_t
, which is unsigned by definition. Consequently, it is not necessary to check size
for negative values (see [INT01-A. Use rsize_t or size_t for all integer values representing the size of an object]).
enum { MAX_TABLE_SIZE = 256 }; int create_table(size_t size) { size_t table_size; char **table; if (size == 0 || size > MAX_TABLE_SIZE) { /* Handle invalid size */ } /* * The wrap check has been omitted based on the assumption that * MAX_TABLE_SIZE * sizeof(char *) cannot exceed SIZE_MAX * If this assumption is not valid, a check must be added */ assert(size <= SIZE_MAX/sizeof(char *)); table_size = size * sizeof(char *); table = (char **)malloc(table_size); if (table == NULL) { /* Handle error condition */ } /* ... */ return 0; }
Risk Assessment
Failing to enforce the limits on integer values can result in a denial of service condition.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
INT04-A |
1 (low) |
2 (probable) |
1 (high) |
P2 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Seacord 05]] Chapter 5, "Integer Security"
INT03-A. Use a secure integer library 04. Integers (INT) INT05-A. Do not use input functions to convert character data if they cannot handle all possible inputs