SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 107

changes.mady.by.user Amy Gale

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

  1. If both operands have the same type, no further conversion is needed.
  2. If both operands are of the same integer type (signed or unsigned), the operand with the type of lesser integer conversion rank is converted to the type of the operand with greater rank.
  3. If the operand that has unsigned integer type has rank greater than or equal to the rank of the type of the other operand, the operand with signed integer type is converted to the type of the operand with unsigned integer type.
  4. If the type of the operand with signed integer type can represent all of the values of the type of the operand with unsigned integer type, the operand with unsigned integer type is converted to the type of the operand with signed integer type.
  5. Otherwise, both operands are converted to the unsigned integer type corresponding to the type of the operand with signed integer type. Specific operations can add to or modify the semantics of the usual arithmetic operations.

Example

In the following example, assume the code is compiled using an implementation with 8-bit char, 32-bit int, and 64-bit long long:

...

Noncompliant Code Example

This noncompliant code noncompliant code example demonstrates how performing bitwise operations on integer types smaller than int may have unexpected results:

...

In this example, a bitwise complement of port is first computed and then shifted 4 bits to the right. If both of these operations are performed on an 8-bit unsigned integer, then result_8 will have the value 0x0a. However, port is first promoted to a signed int, with the following results (on a typical architecture where type int is 32 bits wide):

Expression

Type

Value

Notes

port

uint8_t

0x5a

 


~port

int

0xffffffa5

 


~port >> 4

int

0x0ffffffa

Whether or not value is negative is implementation-defined

result_8

uint8_t

0xfa

 


Compliant Solution

In this compliant solution, the bitwise complement of port is converted back to 8 bits. Consequently, result_8 is assigned the expected value of 0x0aU.

Code Block
bgColor#ccccff
langc
uint8_t port = 0x5a;
uint8_t result_8 = (uint8_t) (~port) >> 4;

Noncompliant Code Example

In this example, a character is iterated from 0 to CHAR_MAX. However, on a platform where char is signed (such as 32-bit x86), max  is set to 0x80  while i  increments from 0x79  to {{0xffffff80} (aka -127):

Code Block
bgColor#FFcccc
langc
#include <limits.h>

unsigned char max = CHAR_MAX + 1;
for (char i = 0; i < max; ++i) {
  printf("i=0x%08x max=0x%08x\n", i, max);
}

Compliant Solution

There are several ways to rectify this example. One way is to treat both chars as unsigned, which prevents wraparound:

Code Block
bgColor#ccccff
langc
#include <limits.h>

unsigned char max = CHAR_MAX + 1;
for (unsigned char i = 0; i < max; ++i) {
  printf("i=0x%08x max=0x%08x\n", i, max);
}

Noncompliant Code Example

This noncompliant code example, adapted from the Cryptography Services blog, demonstrates how signed overflow can occur even when it seems that only unsigned types are in use:

Code Block
bgColor#FFcccc
langc
unsigned short x = 45000, y = 50000;
unsigned int z = x * y;

On implementations where short is 16 bits wide and int is 32 bits wide, the program results in undefined behavior due to signed overflow. This is because the unsigned shorts become signed when they are automatically promoted to integer, and their mathematical product (2250000000) is greater than the largest signed 32-bit integer (231 - 1, which is 2147483647).

Compliant Solution

In this compliant solution, by manually casting one of the operands to unsigned int, the multiplication will be unsigned and so will not result in undefined behavior:

Code Block
bgColor#ccccff
langc
unsigned short x = 45000, y = 50000;
unsigned int z = x * (unsigned int)y;

Risk Assessment

Misunderstanding integer conversion rules can lead to errors, which in turn can lead to exploitable vulnerabilities. The major risks occur when narrowing the type (which requires a specific cast or assignment), converting from unsigned to signed, or converting from negative to unsigned.

Recommendation

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

INT02-C

Medium

Probable

No

Medium

No

P8

P4

L2

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.SIZE.TRUNC

LANG.CAST.COERCE

LANG.CAST.VALUE

MISC.MEM.SIZE.TRUNC

Truncation of Allocation Size

Coercion Alters Value

Cast Alters Value

Truncation of Size

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.INT02

Fully implemented

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C1250, C1251, C1252, C1253, C1256, C1257, C1260, C1263, C1266, C1274, C1290, C1291, C1292, C1293, C1294, C1295, C1296, C1297, C1298, C1299, C1800, C1802, C1803, C1804, C1810, C1811, C1812, C1813, C1820, C1821, C1822, C1823, C1824, C1830, C1831, C1832, C1833, C1834, C1840, C1841, C1842, C1843, C1844, C1850, C1851, C1852, C1853, C1854, C1860, C1861, C1862, C1863, C1864, C1880, C1881, C1882, C2100, C2101, C2102, C2103, C2104, C2105, C2106, C2107, C2109, C2110, C2111, C2112, C2113, C2114, C2115, C2116, C2117, C2118, C2119, C2120, C2122, C2124, C2130, C2132, C2134, C4401, C4402, C4403, C4404, C4405, C4410, C4412, C4413, C4414, C4415, C4420, C4421, C4422, C4423, C4424, C4425, C4430, C4431, C4432, C4434, C4435, C4436, C4437, C4440, C4441, C4442, C4443, C4445, C4446, C4447, C4460, C4461, C4463, C4464, C4470, C4471, C4480, C4481


Klocwork
Include Page
Klocwork_V
Klocwork_V
MISRA.CAST.INT
MISRA.CAST.UNSIGNED_BITS
MISRA.CONV.INT.SIGN
MISRA.CVALUE.IMPL.CAST
MISRA.UMINUS.UNSIGNED
PRECISION.LOSS
LDRA tool suite
Include Page
LDRA_V
LDRA_V


52 S


, 93 S


, 96 S


, 101 S, 107 S


, 332 S


, 334 S


, 433 S


, 434 S


442 S
443 S

, 446 S


, 452 S


, 457 S


, 458

S
491

S

Fully implemented

PRQA QA-C Include PagePRQA_VPRQA_V

0290
0291
3755
3756
3757
3758
3759
3760
3762
3763
3764
3765

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-INT02-a
CERT_C-INT02-b

Implicit conversions from wider to narrower integral type which may result in a loss of information shall not be used
Avoid mixing arithmetic of different precisions in the same expression

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

501, 502, 569, 570, 573,
574, 701, 702, 732, 734,
737

Partially supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. INT02-C


Checks for sign change integer conversion overflow (rec. fully supported)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V555, V605, V673, V5006
Fully implemented

Related Vulnerabilities

This vulnerability in Adobe Flash arises because Flash passes a signed integer to calloc(). An attacker has control over this integer and can send negative numbers. Because calloc() takes size_t, which is unsigned, the negative number is converted to a very large number, which is generally too big to allocate, and as a result, calloc() returns NULL, causing the vulnerability to exist.

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++
Secure
Coding StandardVOID INT02-CPP. Understand integer conversion rules
ISO/IEC TR 24772:2013Numeric Conversion Errors [FLC]
MISRA C:2012Rule 10.1 (required)
Rule 10.3 (required)
Rule 10.4 (required)
Rule 10.6 (required)
Rule 10.7 (required)
Rule 10.8 (required)
MITRE CWECWE-192, Integer coercion error
CWE-197, Numeric truncation error

Bibliography

[Dowd 2006]Chapter 6, "C Language Issues" ("Type Conversions," pp. 223–270)
[Seacord 2013]

Chapter 5, "Integer Security"

...


...

Image Modified Image Modified Image Modified