SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 53

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 54

changes.mady.by.user Martin Sebor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Removed volatile from compliant solution.

...

Assume this simplified code is part of a multithreaded bank system. Threads call credit() and debit() as money is deposited into and withdrawn from the single account. Because the addition and subtraction operations are not atomic, it is possible that two operations can occur concurrently, but only the result of one would be saved. This despite declaring the account_balance volatile. For example, an attacker can credit the account with a sum of money and make a large number of small debits concurrently. Some of the debits might not affect the account balance because of the race condition, so the attacker is effectively creating money.

Code Block
bgColor#FFcccc
static volatile int account_balance;

void debit(int amount) {
  account_balance -= amount;
}

void credit(int amount) {
  account_balance += amount;
}

...

This compliant solution uses a mutex to make credits and debits atomic operations. All credits and debits will now affect the account balance, so an attacker cannot exploit the race condition to steal money from the bank. The mutex is created with the pthread_mutex_create() function. In addition, the volatile keyword is used so that prefetching does not occur. (See rule DCL34-C. Use volatile for data that cannot be cached).Note that the presence of the mutex makes declaring account_balance volatile unnecssary.

Code Block
bgColor#ccccff
#include <pthread.h>

volatilestatic int account_balance;
static pthread_mutex_t account_lock = PTHREAD_MUTEX_INITIALIZER;

voidint debit(int amount) {
  int result;
  if ((result = pthread_mutex_lock(&account_lock))
 !=  0) {
return -1;   /* indicate error Handleto Errorcaller */
  }
  account_balance -= amount;

  if ((result = pthread_mutex_unlock(&account_lock))
  != 0) {
return -1;   /* indicate Handleerror to Errorcaller */

  return 0;   /* indicate success }*/
}

voidint credit(int amount) {
  if ((result = pthread_mutex_lock(&account_lock))
  != 0) {
return -1;   /* indicate error Handleto Errorcaller */
  }
  account_balance += amount;

  if ((result = pthread_mutex_unlock(&account_lock))
 !=  0) {
return -1;   /* indicate Handleerror to Errorcaller */

  }return 0;   /* indicate success */
}

Risk Assessment

Race conditions caused by multiple threads concurrently accessing and modifying the same data can lead to abnormal termination and denial-of-service attacks or data integrity violations.

...