Page History

...

Conversions between integers and pointers can have undesired consequences depending on the implementation.

According to the to the C Standard, subclause 6.3.2.3 3 [ISO/IEC 9899:20112024],

An integer may be converted to any pointer type. Except as previously specified, the result is implementation-defined, might not be correctly aligned, might not point to an entity of the referenced type, and might be a trap representation.

...

Do not convert a pointer type to an integer type if the result cannot be represented in the integer type. (See undefined behavior 2423.)

The mapping between pointers and integers must be consistent with the addressing structure of the execution environment. Issues may arise, for example, on architectures that have a segmented memory model.

...

A particular platform (that is, hardware, operating system, compiler, and Standard C library) might guarantee that a memory address is correctly aligned for the pointer type, and can actually contain contains a value for that type. A common practice is to use addresses that are known to point to hardware that provides valid values.

Exceptions

INT36-C-EX1: A null pointer can be converted to an integer; it takes on the value 0. Likewise, the integer value 0  The integer value 0 can be converted to a pointer; it becomes the null pointer.

...

#include <assert.h>
#include <stdint.h>
 
void h(void) {
  intptr_t i = (intptr_t)(void *)&i;
  uintptr_t j = (uintptr_t)(void *)&j;
 
  void *ip = (void *)i;
  void *jp = (void *)j;
 
  assert(ip == &i);
  assert(jp == &j);
}

INT36-C-EX3: An integer may be converted to a void* and back as long as the pointer is not dereferenced, and the integer is in range (that is, the appropriate range for an intptr_t or uintptr_t).

The following POSIX code passes an integer, cast as a void* to a thread, and the thread prints the integer.

#include <stdio.h>
#include <pthread.h>


void *print_int(void *ptr) {
  intptr_t i = (intptr_t) ptr;
  printf("The number is %jd\n", i);
  return NULL;
}

int main(void) {
  pthread_t thr1;
  intptr_t i = 123;
  int result;

   if ((result = pthread_create(&thr1, NULL, print_int, (void *)i)) != 0) {
    /* Handle error */
  }

  pthread_exit(NULL);
  return 0;
}

Risk Assessment

Converting from pointer to integer or vice versa results in code that is not portable and may create unexpected pointers to invalid memory locations.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

CERT-CWE Mapping Notes

Key here for mapping notes

...

Intersection(INT36-C,CWE-466) =  ∅  

Intersection(INT36-C,CWE-466) =  ∅

An example explaining the above two equations follows:

static char x[3];

char* foo() {

...

Bibliography

...