SEI CERT C++ Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

An object has a storage duration that determines its lifetime. There are three storage durations: static, automatic, and allocated.

[[ISO/IEC 14882-2003]] Section 3.8, "Object Lifetime" describes a number of situations in which trying to access an object outside of its lifetime leads to undefined behavior.

Attempting to access an object outside of its lifetime can result in an exploitable vulnerability.

Noncompliant Code Example (Static Variables)

This noncompliant code example declares the variable p as a pointer to a constant char with file scope. The value of str is assigned to p within the dont_do_this() function. However, str has automatic storage duration, so the lifetime of str ends when the dont_do_this() function exits.

const char *p;
void dont_do_this(void) {
    const char str[] = "This will change";
    p = str; /* dangerous */
    /* ... */
}

void innocuous(void) {
    const char str[] = "Surprise, surprise";
}
/* ... */
dont_do_this();
innocuous();
/* p might be pointing to "Surprise, surprise" */

As a result of this undefined behavior, it is likely that p will refer to the string literal "Surprise, surprise" after the call to the innocuous() function.

Compliant Solution (p with Block Scope)

In this compliant solution, p is declared with the same scope as str, preventing p from taking on an indeterminate value outside of this_is_OK().

void this_is_OK(void) {
    const char str[] = "Everything OK";
    const char *p = str;
    /* ... */
}
/* p is inaccessible outside the scope of string str */

Compliant Solution (p with File Scope)

If it is necessary for p to be defined with file scope, it can be set to NULL before str is destroyed. This prevents p from taking on an indeterminate value, although any references to p must check for NULL.

const char *p;
void is_this_OK(void) {
    const char str[] = "Everything OK?";
    p = str;
    /* ... */
    p = NULL;
}

Noncompliant Code Example (Return Values)

In this example, the function init_array() incorrectly returns a pointer to a local stack variable.

char *init_array(void) {
   char array[10];
   /* Initialize array */
   return array;
}

Some compilers generate a warning when a pointer to an automatic variable is returned from a function, as in this example. Compile your code at high warning levels and resolve any warnings (see MSC00-CPP. Compile cleanly at high warning levels).

Compliant Solution (Return Values)

Correcting this example depends on the intent of the programmer. If the intent is to modify the value of array and have that modification persist outside of the scope of init_array(), the desired behavior can be achieved by declaring array elsewhere and passing it as an argument to init_array().

void init_array(char array[]) {
   /* Initialize array */
   return;
}

int main(int argc, char *argv[]) {
   char array[10];
   init_array(array);
   /* ... */
   return 0;
}

Risk Assessment

Referencing an object outside of its lifetime can result in an attacker being able to run arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL30-CPP

high

probable

high

P6

L2

Automated Detection

The LDRA tool suite Version 7.6.0 can detect violations of this rule.

Fortify SCA Version 5.0 can detect violations when an array is declared in a function and then a pointer to that array is returned.

Splint Version 3.1.1 can detect violations of this rule.

Compass/ROSE can detect violations of this rule. It automatically detects returning pointers to local variables. Detecting more general cases, such as examples where static pointers are set to local variables which then go out of scope would be difficult.

The Coverity Prevent Version 5.0 RETURN_LOCAL checker finds many instances where a function will return a pointer to a local stack variable. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Klocwork Version 8.0.4.16 can detect violations of this rule with the LOCRET checker.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C Secure Coding Standard as DCL30-C. Declare objects with appropriate storage durations.

References

[[Coverity 07]]
[[ISO/IEC 14882-2003]] Sections 3.7, "Storage duration"; 3.8, "Object Lifetime"
[[Henricson 97]] Rule 5.9, "A function must never return, or in any other way give access to, references or pointers to local variables outside the scope in which they are declared."
[[Lockheed Martin 05]] AV Rule 111, "A function shall not return a pointer or reference to a non-static local object."
[[ISO/IEC PDTR 24772]] "DCM Dangling references to stack frames"
[[MISRA 04]] Rule 8.6

DCL17-CPP. Declare function parameters that are large data structures and are not changed by the function as const references      02. Declarations and Initialization (DCL)      DCL31-CPP. Do not define variadic functions

  • No labels