Bitwise operators include the complement operator ~, bitwise shift operators >> and <<, bitwise AND operator &, bitwise exclusive OR operator ^, and bitwise inclusive OR operator |. Bitwise operators should only be used with only with unsigned integer operands, as the results of some bitwise operations on signed integers is integers are implementation-defined.
Noncompliant Code Example (Right Shift)
The right-shift operation may be implemented as either an arithmetic (signed) shift or a logical (unsigned) shift. If E1 in the expression E1 >> E2 has a signed type and a negative value, the resulting value is implementation-defined. Also, a bitwise shift can result in undefined behavior. (See rule INT34-C. Do not shift a negative number of bits or more bits than exist in the operand.)
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
int rc = 0;
int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", stringify >> 24);
if (rc == -1 || rc >= sizeof(buf)) {
/* handle error */
}
|
In this example, stringify >> 24 evaluates to 0xFFFFFF80, or 4,294,967,168. When converted to a string, the resulting value "4294967168" is too large to store in buf and is truncated by snprintf().
If this code had been implemented using sprintf() instead of snprintf(), this noncompliant code example would have resulted in a buffer overflow.
Compliant Solution (
...
Right Shift)
In this compliant solution, stringify is declared as an unsigned integer. The value of the result of the right-shift operation is the integral part of the quotient of stringify / 2^24.
| Code Block | ||||
|---|---|---|---|---|
| ||||
int rc = 0;
unsigned int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", stringify >> 24);
if (rc == -1 || rc >= sizeof(buf)) {
/* handle error */
}
|
Also, consider using the sprintf_s() function, defined in ISO/IEC TR 24731-1, instead of snprintf(), to provide some additional checks. (See recommendation STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code.)
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
fd = open(file_name, UO_WRONLY | UO_CREAT | UO_EXCL | UO_TRUNC, 0600);
|
INT13-EX2: If the right hand -side operand to a shift operator is known at compile time, it is acceptable for the value to be represented with a signed type provided it is positive.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#define SHIFT 24
foo = 15u >> SHIFT;
|
...
Performing bitwise operations on signed numbers can lead to buffer overflows and the execution of arbitrary code by an attacker in some cases, unexpected or implementation-defined behavior in others.
...
Tool | Version | Checker | Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Section | |
| 50 S | Fully Implementedimplemented. | ||||||||
| Section | Fortify SCA section | V. 5.0 |
| | Section | Can detect violations of this recommendation with the CERT C Rule Pack can detect violations of this recommendationsection. | |||||||
Splint |
|
| section | |||||||||
Compass/ROSE |
|
| | Section | Can detect violations of this rule. In particular, it flags bitwise operations that involved variables not declared with |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
ISO/IEC 2003 Section 6.5.7, "Bitwise shift operators"
ISO/IEC 9899:19992011 Section 6.5.7, "Bitwise shift operators"
ISO/IEC TR 24772 "STR Bit Representationsrepresentations," "XYY Wrap-around Errorerror," and "XZI Sign Extension Errorextension error"
MITRE CWE: CWE-682, "Incorrect Calculationcalculation"
Bibliography
[Dowd 2006] Chapter 6, "C Language Issues"
...