SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 79

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 80

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider v2.4 (sch jbop) (X_X)@==(Q_Q)@

Integer values used as a size argument to malloc(), calloc(), or realloc() must be valid and large enough to contain the objects to be stored. If size arguments are incorrect or can be manipulated by an attacker, then a buffer overflow may occur. Incorrect size arguments, inadequate range checking, integer overflow, or truncation can result in the allocation of an inadequately sized buffer. The programmer must ensure that size arguments to memory allocation functions allocate sufficient memory.

...

Noncompliant Code Example (Integer Overflow)

In this non-compliant noncompliant code example, num_blocks is multiplied by 16 and the result is stored in the alloc.

...

This example checks the value of num_blocks to make sure the subsequent multiplication operation cannot result in an integer overflow. The code also ensures that num_blocks is not equal to zero (see MEM04-C. Do not perform zero length allocations).

...

Noncompliant Code Example (Range Checking)

In this non-compliant noncompliant code example, the string referenced by str and the string length represented by len originate from untrusted sources. The length is used to perform a memcpy() into the fixed size static array buf. The len variable is guaranteed to be less than BUFF_SIZE. However, because len is declared as an int it can have a negative value that would bypass the check. The memcpy() function implicitly converts len to an unsigned size_t type, and the resulting operation results in a buffer overflow.

...

See INT01-C. Use rsize_t or size_t for all integer values representing the size of an object for more information on representing the size of objects.

...

Noncompliant Code Example (Size Calculation)

In this non-compliant noncompliant code example, an array of long is allocated and assigned to p. However, sizeof(int) is used to size the allocated memory. If sizeof(long) is larger than sizeof(int) then an insufficient amount of memory is allocated.

...

Compliant Solution (Size Calculation)

To correct the non-compliant noncompliant code example, sizeof(long) is used to size the memory allocation.

...