SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 34

changes.mady.by.user Osona Steave

Saved on

compared with

New Version 35

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Integer values used as a size argument to malloc(), calloc(), or realloc() can be manipulated by an attacker to cause a buffer overflow. Integer Inadequate range checking, integer overflow, or truncation can result in the allocation of an inadequately sized buffer. The programmer must ensure must ensure that size arguments to memory allocation functions are valid and have not been corrupted as the result of an exceptional integer conditionallocates sufficient memory.

Non-Compliant Code Example

In this non-compliant code example, cBlocks is multiplied by 16 and the result is stored in the unsigned long long int alloc.

Code Block
bgColor#FFcccc
void* AllocBlocks(size_t cBlocks) {
  if (cBlocks == 0) return NULL;
  unsigned long long alloc = cBlocks * 16;
  return (alloc < UINT_MAX)
     ? malloc(cBlocks * 16)
     : NULL;
}

If size_t is implemented as an unsigned int typerepresented as a 32-bit unsigned value and unsigned long long represented as a 64-bit unsigned value, for example, the result of this multiplication can still overflow because the multiplication is performed between two values of size int and the resulting actual multiplication is a 32-bit operation. As a result, the value stored in alloc is invalid will always be less than UINT_MAX.

If , on the other hand, both size_t is implemented as an and unsigned long long type types are represented as a 64-bit unsigned value, the result of the multiplication operation may not be representable as an unsigned long long value.

Compliant Solution

...

Wiki Markup
Make sure that integer values passed as size arguments to memory allocation functions are valid and have not been corrupted due to integer overflow, truncation, or sign error \[[04. Integers (INT)]\]. In the following example, the {{multsize_t()}} function multiples two values of type {{size_t}} and sets {{errno}} to a non-zero value if the resulting value cannot be represented as a {{size_t}}
Upcasting only works when a size is represented using a smaller type. Because we recommend that all sizes be represented using size_t, upcasting is never a good idea. Instead, check to make sure the multiplication does not overflow using the methods described in INT32-C. Ensure that integer operations do not result in an overflow. In the following example, the multsize_t() function sets errno to a non-zero value if the multiplication operation results in an overflow
.

Code Block
bgColor#ccccff
void *AllocBlocks(size_t cBlocks) {
  size_t alloc;

  if (cBlocks == 0) return NULL;
  alloc = multsize_t(cBlocks, 16);
  if (errno) {
    return NULL;
  }
  else {
    return malloc(alloc);
  }
} /* end AllocBlocks */

Risk Assessment

Providing invalid size arguments to memory allocation functions can lead to buffer overflows and the execution of arbitrary code with the permissions of the vulnerable process.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM35-C

3 (high)

2 (probable)

1 (high)

P6

L2

References

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]] Section 7.20.3, "Memory Management Functions"
\[[Seacord 05|AA. C References#Seacord 05]] Chapter 4, "Dynamic Memory Management"; Chapter 5 Integers, "Integer Security"