SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 24

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 25

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added CVE-2009-0887 related vul

...

This noncompliant code example is taken from a vulnerability in bash versions 1.14.6 and earlier that resulted in the release of CERT Advisory CA-1996-22. This vulnerability resulted from the sign extension of character data referenced by the string pointer in the yy_string_get() function in the parse.y module of the bash source code:

Code Block
bgColor#FFcccc

static int yy_string_get() {
  register char *string;
  register int c;

  string = bash_input.location.string;
  c = EOF;

  /* If the string doesn't exist, or is empty, EOF found. */
  if (string && *string) {
    c = *string++;
    bash_input.location.string = string;
  }
  return (c);
}

...

This problem was repaired by explicitly declaring the string variable as unsigned char.

Code Block
bgColor#FFcccc

static int yy_string_get() {
  register unsigned char *string;
  register int c;

  string = bash_input.location.string;
  c = EOF;

  /* If the string doesn't exist, or is empty, EOF found. */
  if (string && *string) {
    c = *string++;
    bash_input.location.string = string;
  }
  return (c);
}

...

In this compliant solution, the result of the expression *string++ is cast to (unsigned char) before assignment to the int variable c.

Code Block
bgColor#ccccff

static int yy_string_get() {
  register char *string;
  register int c;

  string = bash_input.location.string;
  c = EOF;

  /* If the string doesn't exist, or is empty, EOF found. */
  if (string && *string) {
    /* cast to unsigned type */
    c = (unsigned char)*string++;

    bash_input.location.string = string;
  }
  return (c);
}

...

Compass/ROSE can detect violations of this rule when checking for violations of INT07-C. Use only explicitly signed or unsigned char type for numeric values.

Related Vulnerabilities

Wiki Markup
[CVE-2009-0887|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0887] results from a violation of this rule. In Linux PAM (up to version 1.0.3), the {{libpam}} implementation of strtok casts a (potentially signed) character to an integer, for use as an index to an array. An attacker can exploit this by inputting a string with non-ASCII characters, causing the cast to result in a negative index and accessing memory outside of the array \[[xorl 2009|http://xorl.wordpress.com/2009/03/26/cve-2009-0887-linux-pam-singedness-issue/]\].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.2.5, "Types"
\[[MISRA 04|AA. C References#MISRA 04]\] Rule 6.1, "The plain char type shall be used only for the storage and use of character values."
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 704|http://cwe.mitre.org/data/definitions/704.html], "Incorrect Type Conversion or Cast"
\[[xorl 2009|C References#xorl 2009]\] ["CVE-2009-0887: Linux-PAM Singedness Issue"|http://xorl.wordpress.com/2009/03/26/cve-2009-0887-linux-pam-singedness-issue/]

...

STR33-C. Size wide character strings correctly      07. Characters and Strings (STR)      STR35-C. Do not copy data from an unbounded source to a fixed-length array