Different alignments are possible for different types of objects. If the type checking system is overridden by an explicit cast, it is possible or the pointer is cast into and out of void *, the alignment of an object may not be the same as the alignment of the object to which it was castbe changed. As a result, if a pointer to one object is converted to a pointer to a different object, the objects must have the same alignment.
Non-Compliant Code Example
By definition of C99 , allows a pointer may be cast into and out of void * validly. Thus As a result, it is possible to silently switch convert from one pointer type of pointer to another without flagging a compiler warning by first the compiler diagnosing the problem by storing or casting the initial a pointer to void * and then storing or casting it to the final type. In the following this non-compliant code example, the type checking system is circumvented due to the caveats of void pointers.
| Code Block | ||
|---|---|---|
| ||
char *loop_ptr;
int *int_ptr;
int *loop_function(void *v_pointer){
return v_pointer;
}
int_ptr = loop_function(loop_ptr);
|
This example should compile compiles without warning. However, v_pointer might may be aligned on a 1 one byte boundary. Once it is cast to an int, some architectures will require it to be on 4 byte boundariesthat the object is aligned on a four byte boundary. If int_ptr is then later dereferenced, abnormal termination of the program may resulttermination abnormally.
Compliant Solution
In this compliant solution, the parameter is changed Because the input parameter directly influences the return value, and loopFunction() returns an int *, the formal parameter v_pointer is redeclared to only accept other int * pointers since the input parameter directly influences the output parameter.
| Code Block | ||
|---|---|---|
| ||
int *loop_ptr;
int *int_ptr;
int *loopFunction(int *v_pointer) {
return v_pointer;
}
int_ptr = loopFunction(loop_ptr);
|
Implementation Details
List of common alignments for Microsoft, Borland, and GNU compilers to x86for the IA-32 architecture.
Type | Alignment |
|---|---|
| 1 byte aligned |
| 2 byte aligned |
| 4 byte aligned |
| 4 byte aligned |
| 8 byte on Windows, 4 byte on Linux |
Risk Assessment
Accessing a pointer or an object that is no longer on the correct access boundary can cause a program to crash, give wrong information, or may cause slow pointer accesses (if the architecture does not care about alignment).
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP36-C | 1 (low) | 2 (probable) | 2 (medium) | P4 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Bryant 03|AA. C References#Bryant 03]\] \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.2.5, "Types" |