SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 117

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 123

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

In this noncompliant code example, the value of length is read from a network connection and passed as an argument to a wrapper to malloc() to allocate the appropriate data block. Provided that the size of an unsigned long is equal to the size of an unsigned int, and both sizes are equal to or smaller than the size of size_t, this code runs as expected. However, if the size of an unsigned long is greater than the size of an unsigned int, the value stored in length may be truncated when passed as an argument to alloc().  Both read functions return zero on success and nonzero on failure.

Code Block
bgColor#FFcccc
langc
void *alloc(unsigned int blocksize) {
  return malloc(blocksize);
}

int read_counted_string(int fd) {
  unsigned long length;
  unsigned char *data;

  if (read_integer_from_network(fd, &length) < 0) {
    return -1;
  }

  data = (unsigned char*)alloc(length+1);
  if (data == NULL) {
    return -1;  /* Indicate failure */
  }

  if (read_network_data(fd, data, length) < 0) {
    free(data);
    return -1;
  }
  data[length-1] = '\0';

  /* ... */
  free( data);
  return 0;
}

...

Code Block
bgColor#ccccff
langc
void *alloc(rsize_t blocksize) {
  if (blocksize == 0 || blocksize > RSIZE_MAX) {
    return NULL;  /* Indicate failure */
  }
  return malloc(blocksize);
}

int read_counted_string(int fd) {
  rsize_t length;
  unsigned char *data;

  if (read_integer_from_network(fd, &length) < 0) {
    return -1;
  }

  data = (unsigned char*)alloc(length+1);
  if (data == NULL) {
    return -1; /* Indicate failure */
  }

  if (read_network_data(fd, data, length) < 0) {
    free(data);
    return -1;
  }
  data[length-1] = '\0';

  /* ... */
  free( data);
  return 0;
}

...

The improper calculation or manipulation of an object's size can result in exploitable vulnerabilities.

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

INT01-C

Medium

Probable

Medium

No

Yes

P8

L2

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-INT01
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.TYPE.BASIC

Basic numerical type used
Compass/ROSE

 

 



Can detect violations of this recommendation. In particular, it catches comparisons and operations where one operand is of type size_t or rsize_t and the other

is notFortify SCA

5.0

 

Will detect integer operations that cause overflow but not all cases where size_t

is not

used

Splint
Include Page
Splint_V
Splint_V

 

 



Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID INT01-CPP. Use rsize_t or size_t for all integer values representing the size of an object

Bibliography

[Meyers 2004]
 

...



...

Image Modified Image Modified Image Modified