SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 63

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 64

changes.mady.by.user Alex Volkovitsky

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ccccff
int si = /* some signed value */;
unsigned ui = /* some unsigned value */;
printf("%d\n", (si < 0 || (unsigned)si < ui));

Automated Detection

Compass/ROSE does not currently detect violations of this rule, but it can by merely reporting comparisons between unsigned integer types and signed integer types.

Risk Assessment

Misunderstanding integer conversion rules can lead to errors, which in turn can lead to exploitable vulnerabilities. The major risks occur when narrowing the type (which requires a specific cast or assignment), or converting from unsigned to signed, or from negative to unsigned.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT02-C

medium

probable

medium

P8

L2

Automated Detection

Compass/ROSE does not currently detect violations of this rule, but it can by merely reporting comparisons between unsigned integer types and signed integer types.

Related Vulnerabilities

This vulnerability in Adobe Flash arises because Flash passes a signed integer to calloc(). An attacker has control over this integer, and can send negative numbers. Because calloc() takes size_t, which is unsigned, the negative number is converted to a very large number, which is generally too big to allocate, and as a result calloc() returns NULL, permitting the vulnerability to exist.

...