...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdint.h>
#include <stdlib.h>
void function(size_t len) {
long *p;
if (len == 0 || len > SIZE_MAX / sizeof(long)) {
/* Handle overflow */
}
p = (long *)malloc(len * sizeof(int));
if (p == NULL) {
/* Handle error */
}
free(p);
}
|
Compliant Solution (Integer)
This compliant solution uses sizeof(long) to correctly size the memory allocation:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdint.h>
#include <stdlib.h>
void function(size_t len) {
long *p;
if (len == 0 || len > SIZE_MAX / sizeof(long)) {
/* Handle overflow */
}
p = (long *)malloc(len * sizeof(long));
if (p == NULL) {
/* Handle error */
}
free(p);
}
|
Compliant Solution (Integer)
Alternatively, sizeof(*p) can be used to properly size the allocation:
...
Providing invalid size arguments to memory allocation functions can lead to buffer overflows and the execution of arbitrary code with the permissions of the vulnerable process.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM35-C | High | Probable | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||
|---|---|---|---|---|---|---|---|
| Astrée |
|
| Supported, but no explicit checker | |||||||||
| CodeSonar |
| ALLOC.SIZE.ADDOFLOW | Addition overflow of allocation size | ||||||
| Compass/ROSE |
Could check violations of this rule by examining the size expression to
| |||||||||
| BAD_ALLOC_STRLEN SIZECHECK (deprecated) | Partially implemented Can find instances where string length is miscalculated (length calculated may be one less than intended) for memory allocation purposes. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary Finds memory allocations that are assigned to a pointer that reference objects larger than the allocated block | |||||||
| Klocwork |
|
| LDRA tool suite |
| 400 S, 487 S, 115 D | Enhanced enforcement | ||||||
| Splint | 3.1.1 |
| Parasoft C/C++test | 9.5 | MRM-45 | Partially implemented | |||||
| Polyspace Bug Finder | R2016a | Memory allocation with tainted size, Pointer access out of bounds, Wrong type used in sizeof | Size argument to memory function is from an unsecure source Pointer dereferenced outside its bounds
| |||||
| PRQA QA-C |
| 0696, 0701, 1069, 1071, 1073 |
| PRQA QA-C++ | 4.2 | 2840, 2841, 2842, 2843, 2844 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| CERT C Secure Coding Standard | ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data INT32-C. Ensure that operations on signed integers do not result in overflow INT18-C. Evaluate integer expressions in a larger size before comparing or assigning to that size MEM04-C. Beware of zero-length allocations |
| ISO/IEC TR 24772:2013 | Buffer Boundary Violation (Buffer Overflow) [HCB] |
| ISO/IEC TS 17961:2013 | Taking the size of a pointer to determine the size of the pointed-to type [sizeofptr] |
| MITRE CWE | CWE-131, Incorrect Calculation of Buffer Size CWE-190, Integer Overflow or Wraparound CWE-467, Use of |
Bibliography
| [Coverity 2007] |
| [Drepper 2006] | Section 2.1.1, "Respecting Memory Bounds" |
| [Seacord 2013] | Chapter 4, "Dynamic Memory Management" Chapter 5, "Integer Security" |
| [Viega 2005] | Section 5.6.8, "Use of sizeof() on a Pointer Type" |
| [xorl 2009] | CVE-2009-0587: Evolution Data Server Base64 Integer Overflows |
...
...