Bitwise operators include the complement operator (~), bitwise shift operators (>> and <<), bitwise AND operator (&), bitwise exclusive OR operator (^), and bitwise inclusive OR operator (|). Bitwise operators should only be used with unsigned integer operands, as the results of some bitwise operations on signed integers is implementation-defined.
...
Noncompliant Code Example (right shift)
| Wiki Markup |
|---|
The right-shift operation may be implemented as either an arithmetic (signed) shift or a logical (unsigned) shift. If {{E1}} in the expression {{E1 >> E2}} has a signed type and a negative value, the resulting value is implementation-defined. Also, be careful to avoid [undefined behavior|BB. Definitions#undefined behavior] while performing a bitwise shift (see [INT34-C. Do not shift a negative number of bits or more bits than exist in the operand]). This non-compliantnoncompliant code example can result in an error condition on [implementations|BB. Definitions#implementation] in which an arithmetic shift is performed and the sign bit can be propagated as the number is shifted \[[Dowd 06|AA. C References#Dowd 06]\]. |
...
If this code had been implemented using sprintf() instead of snprintf(), this non-compliant noncompliant code example would have resulted in a buffer overflow.
Compliant Solution (right shift)
In this compliant solution, stringify is declared as an unsigned integer. The value of the result of the right shift operation is the integral part of the quotient of stringify / 2 24.
...
Also, consider using the sprintf_s() function defined in ISO/IEC TR 24731-1 instead of snprintf() to provide some additional checks (see STR07-AC. Use TR 24731 for remediation of existing string manipulation code).
Exceptions
INT13-EX1: When used as bit flags, it is acceptable to use preprocessor macros as arguments to the & and | operators even if the value is not explicitly declared as unsigned.
...
| Code Block | ||
|---|---|---|
| ||
#define SHIFT 24 foo = 15u >> SHIFT; |
Risk Assessment
Improper range checking can lead to buffer overflows and the execution of arbitrary code by an attacker.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
INT13-A C | high | unlikely | medium | P6 | L2 |
Automated Detection
The LDRA tool suite V 7.6.0 can detect violations of this recommendation.
...
Compass/ROSE can detect violations of this rule. In particular, it flags bitwise operations that involved variables not declared with unsigned type.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 6, "C Language Issues" \[[ISO/IEC 03|AA. C References#ISO/IEC 03]\] Section 6.5.7, "Bitwise shift operators" \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.5.7, "Bitwise shift operators" \[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "STR Bit Representations," "XYY Wrap-around Error," and "XZI Sign Extension Error" |
...
04. Integers (INT) INT14-A. Avoid performing bitwise and arithmetic operations on the same data