Page History

...

Annex J of the C Standard [ISO/IEC 9899:20112024] states that it is undefined behavior if the "pointer passed to a library function array parameter does not have a value such that all address computations and object accesses are valid." (See undefined behavior 109108.)

In the following code,

Code Block
int arr[5]; int p = arr; unsigned char p2 = (unsigned char )arr; unsigned char p3 = arr + 2; void *p4 = arr;

...

`fgets()`	`fgetws()`	`mbstowcs()`¹	`wcstombs()`¹
`mbrtoc16()`²	`mbrtoc32()`²	`mbsrtowcs()`¹	`wcsrtombs()`¹
`mbtowc()`²	`mbrtowc()`¹²	`mblen()`	`mbrlen()`
`memchr()`	`wmemchr()`	`memset()`	`wmemset()`
`strftime()`	`wcsftime()`	`strxfrm()¹`	`wcsxfrm()¹`
`strncat()²`	`wcsncat()²`	`snprintf()`	`vsnprintf()`
`swprintf()`	`vswprintf()`	`setvbuf()`	`tmpnam_s()`
`snprintf_s()`	`sprintf_s()`	`vsnprintf_s()`	`vsprintf_s()`
`gets_s()`	`getenv_s()`	`wctomb_s()`	`mbstowcs_s()³`
`wcstombs_s()³`	`memcpy_s()³`	`memmove_s()³`	`strncpy_s()³`
`strncat_s()³`	`strtok_s()²`	`strerror_s()`	`strnlen_s()`
`asctime_s()`	`ctime_s()`	`snwprintf_s()`	`swprintf_s()`
`vsnwprintf_s()`	`vswprintf_s()`	`wcsncpy_s()³`	`wmemcpy_s()³`
`wmemmove_s()³`	`wcsncat_s()³`	`wcstok_s()²`	`wcsnlen_s()`
`wcrtomb_s()`	`mbsrtowcs_s()³`	`wcsrtombs_s()³`	`memset_s()⁴`

...

Depending on the library function called, an attacker may be able to use a heap or stack overflow vulnerability to run arbitrary code.

Rule	Severity	Likelihood	Detectable	RepairableRemediation Cost	Priority	Level
ARR38-C	High	Likely	No	NoMedium	P18P9	L1L2

Automated Detection

Supported, but no explicit checkerBADFUNC.BO.*
A collection of warning classes that report uses of library functions prone to internal buffer overflows

Array access out of bounds

Buffer

Invalid use of standard library memory routine

Invalid use of standard library string routine

Mismatch between data length and size

Pointer access out of bounds

Possible misuse of sizeof

Use of tainted pointer

Tool

Version

Checker

Description

Astrée

Include Page

	Astrée_V
	Astrée_V

array_out_of_bounds

Supported

Astrée reports all out-of-bound accesses within library analysis stubs. The user may provide additional stubs for arbitrary (library) functions.

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

LANG.MEM.BO
LANG.MEM.BU

Buffer overrun
Buffer underrun

Compass/ROSE

Coverity

Include Page

Compass/ROSE

Coverity

Include Page

Coverity_V
	Coverity_V

BUFFER_SIZE

BAD_SIZEOF

BAD_ALLOC_STRLEN

BAD_ALLOC_ARITHMETIC

Implemented

Cppcheck Premium

Include Page

	Cppcheck Premium_V
	Cppcheck Premium_V

premium-cert-arr38-c

Fortify SCA

5.0

Can detect violations of this rule with CERT C Rule PackKlocwork

Helix QAC

Include Page

Klocwork

	Helix QAC_V

Klocwork

	Helix QAC_V

C2840

DF2840, DF2841, DF2842, DF2843, DF2845, DF2846, DF2847, DF2848, DF2935, DF2936, DF2937, DF2938, DF4880, DF4881, DF4882, DF4883

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

ABV.GENERAL
ABV.GENERAL.MULTIDIMENSIONABV.ANY_SIZE_ARRAY
ABV.GENERAL
ABV.ITERATOR
ABV.STACK
ABV.TAINTED
ABV.UNKNOWN_SIZE

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X

Partially Implmented

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-ARR38-a
CERT_C-ARR38-b
CERT_C-ARR38-c
CERT_C-ARR38-d

Avoid overflow when reading from a buffer
Avoid overflow when writing to a buffer
Avoid buffer overflow due to defining incorrect format limits
Avoid overflow due to reading a not zero terminated string

Parasoft Insure++ Runtime analysis

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

419, 420

Partially supported

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rule ARR38-C

Checks for:

Mismatch between data length and size
Invalid use of standard library memory routine
Possible misuse of sizeof
Buffer

overflow from incorrect string format specifier
Invalid use of standard library string routine
Destination buffer overflow in string manipulation
Destination buffer underflow in string manipulation

Array index outside bounds during array access

String format specifier causes buffer argument of standard library functions to overflow

Function writes to buffer at offset greater than buffer size

Function writes to buffer at a negative offset from beginning of buffer

Standard library memory function called with invalid arguments

Standard library string function called with invalid arguments

Data size argument is not computed from actual data length

Pointer dereference outside its bounds

Use of sizeof operator can cause unintended results

Pointer from an unsecure source may be NULL or point to unknown memory

PRQA QA-C

Include Page

PRQA QA-C_v

2845, 2846, 2847, 2848, 2849, 2930, 2932, 2933, 2934

Fully implemented

PRQA QA-C++

Include Page

cplusplus:PRQA QA-C++_V

2840, 2841, 2842, 2843, 2844

Fully implemented

Splint

Include Page

Splint_V

Rule partially covered.

Security Reviewer - Static Reviewer

6.02

C109

Fully Implemented

Splint

Include Page

	Splint_V
	Splint_V

TrustInSoft Analyzer

Include Page

	TrustInSoft Analyzer_V
	TrustInSoft Analyzer_V

out of bounds read

Partially verified.

Related Vulnerabilities

CVE-2016-2208 results from a violation of this rule. The attacker can supply a value used to determine how much data is copied into a buffer via memcpy(), resulting in a buffer overlow of attacker-controlled data.

...

Taxonomy	Taxonomy item	Relationship
C Secure Coding Standard	API00-C. Functions should validate their parameters	Prior to 2018-01-12: CERT: Unspecified Relationship
C Secure Coding Standard	ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array	Prior to 2018-01-12: CERT: Unspecified Relationship
C Secure Coding Standard	INT30-C. Ensure that unsigned integer operations do not wrap	Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961:2013	Forming invalid pointers by library functions [libptr]	Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013	Buffer Boundary Violation (Buffer Overflow) [HCB]	Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013	Unchecked Array Copying [XYW]	Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11	CWE-119 , Improper Restriction of Operations within the Bounds of a Memory Buffer	2017-05-18: CERT: Rule subset of CWE
CWE 2.11	CWE-121, Stack-based Buffer Overflow	2017-05-18: CERT: Partial overlap
CWE 2.11	CWE-123, Write-what-where Condition	2017-05-18: CERT: Partial overlap
CWE 2.11	CWE-125, Out-of-bounds Read	2017-05-18: CERT: Partial overlap
CWE 2.11	CWE-805, Buffer Access with Incorrect Length Value	2017-05-18: CERT: Partial overlap
CWE 3.1	CWE-129, Improper Validation of Array Index	2017-10-30:MITRE:Unspecified Relationship 2018-10-18:CERT:Rule subset of CWEPartial Overlap

CERT-CWE Mapping Notes

Key here for mapping notes

...

Arbitrary writes that do not involve standard C library functions

CWE-129 and ARR38-C

ARR38-C -CWE-129 = making library functions create invalid pointers without using untrusted data.

...

Space shortcuts

Page tree

Versions Compared

Old Version 154

New Version Current

Key

Automated Detection

Related Vulnerabilities

CERT-CWE Mapping Notes

CWE-129 and ARR38-C