SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 122

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 123

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this noncompliant code example, num_blocks is multiplied by 16 and the result is stored in the alloc.:

Code Block
bgColor#FFcccc
langc
enum { BLOCKSIZE = 16 };
/* ... */
void *alloc_blocks(size_t num_blocks) {
  if (num_blocks == 0) {
    return NULL;
  }
  unsigned long long alloc = num_blocks * BLOCKSIZE ;
  return (alloc < UINT_MAX)
     ? malloc(num_blocks * BLOCKSIZE )
     : NULL;
}

...

In this compliant solution, len is declared as a size_t so there is no possibility of this variable having a negative value and bypassing the range check.:

Code Block
bgColor#ccccff
langc
size_t len;
char *str;
char buf[BUFF_SIZE];

/* ... */
if (len < BUFF_SIZE){
  memcpy(buf, str, len);
}
/* ... */

...

To correct the noncompliant code example, sizeof(long) is used to size the memory allocation.:

Code Block
bgColorccccff
langc
void function(size_t len) {
   long *p;
   if (len == 0 || len > SIZE_MAX / sizeof(long)) {
      /* Handle overflow */
   }
   p = (long *)malloc(len * sizeof(long));
   if (p == NULL) {
      /* Handle error */
   }
   /* ... */
   free(p);
}

Alternatively, sizeof(*p) can be used to properly size the allocation.:

Code Block
bgColorccccff
langc
void function(size_t len) {
   long *p;
   if (len == 0 || len > SIZE_MAX / sizeof(*p)) {
      /* Handle overflow */
   }
   p = (long *)malloc(len * sizeof(*p));
   if (p == NULL) {
      /*   Handle error */
   }
   /* ... */
   free(p);
}

...

Tool

Version

Checker

Description

Compass/ROSE

 

 

could check violations of this rule by examining the size expression to malloc() or memcpy() functions. Specifically, the size argument should be bounded by 0, SIZE_MAX, and, unless it is a variable of type size_t or rsize_t, it should be bounds-checked before the malloc() call. If the argument is of the expression a*b, then an appropriate check is:

Code Block
if (a < SIZE_MAX / b && a > 0) ...

Coverity

Include Page
Coverity_V
Coverity_V

BAD_ALLOC_STRLEN


SIZECHECK

Can find instances where string length is miscalculated (length calculated may be one less than intended) for memory allocation purposes. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Finds memory allocations that are assigned to a pointer that reference objects larger than the allocated block.

Fortify SCA

5.0

 

Can detect violations of this rule with CERT C Rule Pack, except those involving the sizeof operator,

LDRA tool suite

Include Page
LDRA_V
LDRA_V

487 S

Fully implemented.

Related Vulnerabilities

CVE-2009-0587 results from a violation of this rule. Before version 2.24.5, Evolution Data Server performed unchecked arithmetic operations on the length of a user-input string and used the value to allocate space for a new buffer. An attacker could thereby execute arbitrary code by inputting a long string, resulting in incorrect allocation and buffer overflow [xorl 2009].

...