An object has a storage duration that determines its lifetime. There are three storage durations: static, automatic, and allocated.
According to C99 [[ISO/IEC 9899:1999]]:
The lifetime of an object is the portion of program execution during which storage is guaranteed to be reserved for it. An object exists, has a constant address, and retains its last-stored value throughout its lifetime. If an object is referred to outside of its lifetime, the behavior is undefined. The value of a pointer becomes indeterminate when the object it points to reaches the end of its lifetime.
Attempting to access an object outside of its lifetime can result in an exploitable vulnerability.
Non-Compliant Code Example (Static Variables)
This non-compliant code example declares the variable p
as a pointer to a constant char
with file scope. The value of str
is assigned to p
within the dont_do_this()
function. However, str
has automatic storage duration, so the lifetime of str
ends when the dont_do_this()
function exits.
char const *p; void dont_do_this(void) { char const str[] = "This will change"; p = str; /* dangerous */ /* ... */ } void innocuous(void) { char const str[] = "Surprise, surprise"; } /* ... */ dont_do_this(); innocuous(); /* p might be pointing to "Surprise, surprise" */
As a result of this undefined behavior, it is likely that p
will refer to the string literal "Surprise, surprise"
after the call to the innocuous()
function.
Compliant Solution (p
with Block Scope)
In this compliant solution, p
is declared with the same scope as str
, preventing p
from taking on an indeterminate value outside of this_is_OK()
.
void this_is_OK(void) { char const str[] = "Everything OK"; char const *p = str; /* ... */ } /* p is inaccessible outside the scope of string str */
Compliant Solution (p
with File Scope)
If it is necessary for p
to be defined with file scope, it can be set to NULL
before str
is destroyed. This prevents p
from taking on an indeterminate value, although any references to p
must check for NULL
.
char const *p; void is_this_OK(void) { char const str[] = "Everything OK?"; p = str; /* ... */ p = NULL; }
Non-Compliant Code Example (Return Values)
In this example, the function init_array()
incorrectly returns a pointer to a local stack variable.
char *init_array(void) { char array[10]; /* Initialize array */ return array; }
Some compilers generate a warning when a pointer to an automatic variable is returned from a function, as in this example. Compile your code at high warning levels and resolve any warnings (see MSC00-A. Compile cleanly at high warning levels).
Compliant Solution (Return Values)
Correcting this example depends on the intent of the programmer. If the intent is to modify the value of array
and have that modification persist outside of the scope of init_array()
, the desired behavior can be achieved by declaring array
elsewhere and passing it as an argument to init_array()
.
void init_array(char array[]) { /* Initialize array */ return; } int main(int argc, char *argv[]) { char array[10]; init_array(array); /* ... */ return 0; }
Risk Assessment
Referencing an object outside of its lifetime can result in an attacker being able to run arbitrary code.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
DCL30-C |
high |
probable |
high |
P6 |
L2 |
Automated Detection
The LDRA tool suite V 7.6.0 can detect violations of this rule.
Fortify SCA Version 5.0 can detect violations when an array is declared in a function and then a pointer to that array is returned.
Splint Version 3.1.1 can detect violations of this rule.
Compass/ROSE can detect violations of this rule. It automatically detects returning pointers to local variables. Detecting more general cases, such as examples where static pointers are set to local variables which then go out of scope would be difficult.
The Coverity Prevent RETURN_LOCAL checker finds many instances where a function will return a pointer to a local stack variable. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Coverity 07]]
[[ISO/IEC 9899:1999]] Section 6.2.4, "Storage durations of objects," and Section 7.20.3, "Memory management functions"
[[ISO/IEC PDTR 24772]] "DCM Dangling references to stack frames"
[[MISRA 04]] Rule 8.6
DCL15-C. Declare objects that do not need external linkage with the storage-class specifier static 02. Declarations and Initialization (DCL)