SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 116

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 117

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this compliant solution, the integer values passed as size arguments to memory allocation functions are of the correct size and have not been altered due to integer overflow or truncation. (See INT32-C. Ensure that operations on signed integers do not result in overflow and INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data.)

Code Block
bgColor#ccccff
langc
enum { BLOCKSIZE = 16 };
/* ... */
void *alloc_blocks(size_t num_blocks) {
  if (num_blocks == 0 || num_blocks > SIZE_MAX / BLOCKSIZE)
    return NULL;
  return malloc(num_blocks * BLOCKSIZE);
}

...

This example also checks for unsigned integer overflow in compliance with INT32-C. Ensure that operations on signed integers do not result in overflow.

Compliant Solution (Size Calculation)

...

Tool

Version

Checker

Description

LDRA tool suite

Include Page
LDRA_VLDRA_V

487 S

Fully implemented.

Fortify SCA

V. 5.0

 

Can detect violations of this rule with CERT C Rule Pack, except those involving the sizeof operator,

Coverity

Include Page
Coverity_VCoverity_V

SIZECHECK

Finds memory allocations that are assigned to a pointer that reference objects larger than the allocated block.

Coverity

Include Page
Coverity_VCoverity_V

BAD_ALLOC_STRLEN

Can find instances where string length is miscalculated (length calculated may be one less than intended) for memory allocation purposes. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Compass/ROSE

 

 

could check violations of this rule by examining the size expression to malloc() or memcpy() functions. Specifically, the size argument should be bounded by 0, SIZE_MAX, and, unless it is a variable of type size_t or rsize_t, it should be bounds-checked before the malloc() call. If the argument is of the expression a*b, then an appropriate check is:

Code Block
if (a < SIZE_MAX / b && a > 0) ...

Coverity

Include Page
Coverity_V
Coverity_V

BAD_ALLOC_STRLEN


SIZECHECK

Can find instances where string length is miscalculated (length calculated may be one less than intended) for memory allocation purposes. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Finds memory allocations that are assigned to a pointer that reference objects larger than the allocated block.

Fortify SCA

5.0

 

Can detect violations of this rule with CERT C Rule Pack, except those involving the sizeof operator,

LDRA tool suite

Include Page
LDRA_V
LDRA_V

487 S

Fully implemented.

Related Vulnerabilities

CVE-2009-0587 results from a violation of this rule. Before version 2.24.5, Evolution Data Server performed unchecked arithmetic operations on the length of a user-input string and used the value to allocate space for a new buffer. An attacker could thereby execute arbitrary code by inputting a long string, resulting in incorrect allocation and buffer overflow [xorl 2009].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard

...

MEM35-CPP. Allocate sufficient memory for an object
ISO/IEC

...

ISO/IEC TR 24772 "XYB Buffer overflow in heap"

...

TR 24772:2013Buffer Overflow in Heap [XYB]
MITRE CWECWE-190,

...

Integer overflow (wrap or wraparound)

...


...

CWE

...

-131,

...

Incorrect calculation of buffer size

...

Bibliography

[Coverity 2007]
[Seacord 2005] Chapter 4, "Dynamic Memory Management," and Chapter 5, "Integer Security"
[xorl 2009] CVE-2009-0587: Evolution Data Server Base64 Integer Overflows

...