SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 112

changes.mady.by.user Eric Wong

Saved on

compared with

New Version 113

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Integer values used as a size argument to malloc(), calloc(), or realloc(), or aligned_alloc must be valid and large enough to contain the objects to be stored. If size arguments are incorrect or can be manipulated by an attacker, then a buffer overflow may occur. Incorrect size arguments, inadequate range checking, integer overflow, or truncation can result in the allocation of an inadequately sized buffer. The programmer must ensure that size arguments to memory allocation functions allocate sufficient memory.

...

If both size_t and unsigned long long types are represented as a 64-bit unsigned value, the result of the multiplication operation may not be representable as an unsigned long long value. See rule INT35-C. Evaluate integer expressions in a larger size before comparing or assigning to that size for more information on upcasting.

...

In this compliant solution, the integer values passed as size arguments to memory allocation functions are of the correct size and have not been altered due to integer overflow or truncation. (See rules INT32-C. Ensure that operations on signed integers do not result in overflow and INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data.)

Code Block
bgColor#ccccff
langc
enum { BLOCKSIZE = 16 };
/* ... */
void *alloc_blocks(size_t num_blocks) {
  if (num_blocks == 0 || num_blocks > SIZE_MAX / BLOCKSIZE)
    return NULL;
  return malloc(num_blocks * BLOCKSIZE);
}

This example checks the value of num_blocks to make sure the subsequent multiplication operation cannot result in an integer overflow. The code also ensures that num_blocks is not equal to zero. (See recommendation MEM04-C. Do not perform zero length allocations.)

...

Code Block
bgColor#ccccff
langc
size_t len;
char *str;
char buf[BUFF_SIZE];

/* ... */
if (len < BUFF_SIZE){
  memcpy(buf, str, len);
}
/* ... */

See recommendation INT01-C. Use rsize_t or size_t for all integer values representing the size of an object for more information on representing the size of objects.

...

This example also checks for unsigned integer overflow in compliance with rule INT32-C. Ensure that operations on signed integers do not result in overflow.

Compliant Solution (Size Calculation)

...

The code also ensures that len is not equal to zero. (See recommendation MEM04-C. Do not perform zero length allocations.)

...

section

Fully

Implemented

implemented.

Fortify SCA

section

can

Can detect violations of this rule with CERT C Rule Pack, except those involving the sizeof operator,

Coverity Prevent

SIZECHECK

finds

Finds memory allocations that are assigned to a pointer that reference objects larger than the allocated block.

Coverity Prevent

BAD_ALLOC_STRLEN

can

Can find

the

instances where string length is miscalculated (length calculated may be one less than intended) for memory allocation purposes. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Compass/ROSE

could check violations of this rule by examining the size expression to malloc() or memcpy() functions. Specifically, the size argument should be bounded by 0, SIZE_MAX, and, unless it is a variable of type size_t or rsize_t, it should be bounds-checked before the malloc() call. If the argument is of the expression a*b, then an appropriate check is:

Tool

Version

Checker

Description

LDRA tool suite

Include Page
LDRA_V
LDRA_V
section

487 S

Section
Section

V. 5.0

 

Section
Section
Include Page
Coverity_V
Coverity_V
Section
Section
Section
Include Page
Coverity_V
Coverity_V
Section
Section
Section

 

 

Section
Code Block
if (a < SIZE_MAX / b && a > 0) ...

Related Vulnerabilities

CVE-2009-0587 results from a violation of this rule. Before version 2.24.5, Evolution Data Server performed unchecked arithmetic operations on the length of a user-input string and used the value to allocate space for a new buffer. Thus, an attacker could execute An attacker could thereby execute arbitrary code by inputting a long string, resulting in incorrect allocation and buffer overflow [xorl 2009].

...

CERT C++ Secure Coding Standard: MEM35-CPP. Allocate sufficient memory for an object

ISO/IEC 9899:19992011 Section 7.2022.3, "Memory Management Functionsmanagement functions"

ISO/IEC TR 24772 "XYB Buffer Overflow overflow in Heapheap"

MITRE CWE: CWE-190, "Integer Overflow overflow (Wrap wrap or Wraparoundwraparound)"

MITRE CWE: CWE-131, "Incorrect Calculation calculation of Buffer Sizebuffer size"

Bibliography

[Coverity 2007]
[Seacord 2005] Chapter 4, "Dynamic Memory Management," and Chapter 5, "Integer Security"
[xorl 2009] "CVE-2009-0587: Evolution Data Server Base64 Integer Overflows"

...