calloc() function takes two arguments: the number of elements to allocate and the storage size of those elements. Typically,
calloc() implementations multiply these arguments to determine how much memory to allocate. Historically, some implementations failed to check whether out-of-bounds results silently wrapped [RUS-CERT Advisory 2002-08:02]. If the result of multiplying the number of elements to allocate and the storage size wraps, less memory is allocated than was requested. As a result, it is necessary to ensure that these arguments, when multiplied, do not wrap.
Modern implementations of the C standard library should check for wrap. If the
calloc() function implemented by the libraries used for a particular implementation properly handles unsigned integer wrapping (in conformance with INT30-C. Ensure that unsigned integer operations do not wrap) when multiplying the number of elements to allocate and the storage size, that is sufficient to comply with this recommendation and no further action is required.
Noncompliant Code Example
In this noncompliant example, the user-defined function
get_size() (not shown) is used to calculate the size requirements for a dynamic array of
long int that is assigned to the variable
calloc() is called to allocate the buffer,
num_elements is multiplied by
sizeof(long) to compute the overall size requirements. If the number of elements multiplied by the size cannot be represented as a
calloc() may allocate a buffer of insufficient size. When data is copied to that buffer, an overflow may occur.
In this compliant solution, the two arguments
sizeof(long) are checked before the call to
calloc() to determine if wrapping will occur:
Note that the maximum amount of allocatable memory is typically limited to a value less than
SIZE_MAX (the maximum value of
size_t). Always check the return value from a call to any memory allocation function in compliance with ERR33-C. Detect and handle standard library errors.
Unsigned integer wrapping in memory allocation functions can lead to buffer overflows that can be exploited by an attacker to execute arbitrary code with the permissions of the vulnerable process. Most implementations of
calloc() now check to make sure silent wrapping does not occur, but it is not always safe to assume the version of
calloc() being used is secure, particularly when using dynamically linked libraries.
|Supported, but no explicit checker|
|ALLOC.SIZE.MULOFLOW||Multiplication overflow of allocation size|
The validity of values passed to library functions shall be checked
|SEI CERT C++ Coding Standard||VOID MEM07-CPP. Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t|
|MITRE CWE||CWE-190, Integer overflow (wrap or wraparound)|
CWE-128, Wrap-around error
|[RUS-CERT]||Advisory 2002-08:02, "Flaw in |
|[Seacord 2013]||Chapter 4, "Dynamic Memory Management"|
|[Secunia]||Advisory SA10635, "HP-UX |