SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 75

changes.mady.by.user Jodi Blake

Saved on

compared with

New Version 76

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Integer values can be invalidated due to excpetional exceptional conditions such as overflow, truncation, or sign error leading to exploitable vulnerabilities. Failure to provide proper range checking can also lead to exploitable vulnerabilities.

Faced with an integer overflow, the underlying computer system may do one of two things: a) signal some sort of error condition, or b) produce an integer result that is within the range of representable integer on that system. The latter semantics may be preferable in some situations in that it allows the computation to proceed, thus avoiding a denial-of-service attack. However, it raises the question of what integer result to return to the user.

Below, is set out definitions of two algorithms that produce integer results that are always within a defined range, namely between the integer values MIN and MAX (inclusive), where MIN and MAX are two representable integers with MIN < MAX. This method of producing integer results is called Verifiably-in-Range Integers. The two algorithms are Saturation and Modwrap, defined in the following two sub-sections.

Saturation Semantics

For saturation semantics, assume that the mathematical result of the computation is result. The value actually returned to the user is set out in the following table:

range of mathematical result

result returned

MAX < result

MAX

MIN <= result <= MAX

result

result < MIN

MIN

Modwrap Semantics

Wiki Markup
Modwrap semantics is where the integer values "wrap round" (also called _modulo_ arithmetic).  That is, adding one to {{MAX}} produces {{MIN}}.  This is the defined behavior for unsigned integers in the C Standard \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] (see Section 6.2.5, "Types", paragraph 9) and, very often, is the behavior of signed integers also.  However, in many applications, it would be more sensible to use saturation semantics rather than modwrap semantics.  For example, in the computation of a size (using unsigned integers), it is often better for the size to stay at the maximum value in the event of overflow, rather than suddenly becoming a very small value.

Recommendations

INT00-A. Do not make assumptions about the type of a bit-field when used in an expression

...