...
Annex J of the C Standard [ISO/IEC 9899:20112024] states that it is undefined behavior if the "pointer passed to a library function array parameter does not have a value such that all address computations and object accesses are valid." (See undefined behavior 109108.)
In the following code,
| Code Block |
|---|
int arr[5]; int *p = arr; unsigned char *p2 = (unsigned char *)arr; unsigned char *p3 = arr + 2; void *p4 = arr; |
...
fgets() | fgetws() | mbstowcs()1 | wcstombs()1 |
mbrtoc16()2 | mbrtoc32()2 | mbsrtowcs()1 | wcsrtombs()1 |
mbtowc()2 | mbrtowc()1 2 | mblen() | mbrlen() |
memchr() | wmemchr() | memset() | wmemset() |
strftime() | wcsftime() | strxfrm()1 | wcsxfrm()1 |
strncat()2 | wcsncat()2 | snprintf() | vsnprintf() |
swprintf() | vswprintf() | setvbuf() | tmpnam_s() |
snprintf_s() | sprintf_s() | vsnprintf_s() | vsprintf_s() |
gets_s() | getenv_s() | wctomb_s() | mbstowcs_s()3 |
wcstombs_s()3 | memcpy_s()3 | memmove_s()3 | strncpy_s()3 |
strncat_s()3 | strtok_s()2 | strerror_s() | strnlen_s() |
asctime_s() | ctime_s() | snwprintf_s() | swprintf_s() |
vsnwprintf_s() | vswprintf_s() | wcsncpy_s()3 | wmemcpy_s()3 |
wmemmove_s()3 | wcsncat_s()3 | wcstok_s()2 | wcsnlen_s() |
wcrtomb_s() | mbsrtowcs_s()3 | wcsrtombs_s()3 | memset_s()4 |
...
Depending on the library function called, an attacker may be able to use a heap or stack overflow vulnerability to run arbitrary code.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
ARR38-C | High | Likely | No | NoMedium | P18P9 | L1L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| array_out_of_bounds | Supported Astrée reports all out-of-bound accesses within library analysis stubs. The user may provide additional stubs for arbitrary (library) functions. | ||||||||||||||||||
| CodeSonar |
| LANG.MEM.BO | Buffer overrun | A collection of warning classes that report uses of library functions prone to internal buffer overflows||||||||||||||||||
| Coverity |
| BUFFER_SIZE BAD_SIZEOF BAD_ALLOC_STRLEN BAD_ALLOC_ARITHMETIC | Implemented | ||||||||||||||||||
| Cppcheck Premium |
| premium-cert-arr38-c | |||||||||||||||||||
5.0 | Can detect violations of this rule with CERT C Rule Pack | ||||||||||||||||||||
| Helix QAC |
| C2840 DF2840, DF2841, DF2842, DF2843, DF2845, DF2846, DF2847, DF2848, DF2935, DF2936, DF2937, DF2938, DF4880, DF4881, DF4882, DF4883 | |||||||||||||||||||
| | Include Page | | Klocwork_V | Klocwork_V | ABV.ANY_SIZE_ARRAY
ABV.GENERAL
ABV.ITERATOR
ABV.STACK
ABV.TAINTED
ABV.UNKNOWN_SIZEGENERAL.MULTIDIMENSION
| Include Page | ||||
|---|---|---|---|---|
|
| Include Page | ||||
|---|---|---|---|---|
|
CERT_C-ARR38-a
CERT_C-ARR38-b
CERT_C-ARR38-c
CERT_C-ARR38-d
Avoid overflow when reading from a buffer
Avoid overflow when writing to a buffer
Avoid buffer overflow due to defining incorrect format limits
Avoid overflow due to reading a not zero terminated string
| Include Page | ||||
|---|---|---|---|---|
|
419, 420
Partially supported
| Include Page | ||||
|---|---|---|---|---|
|
Checks for:
- Mismatch between data length and size
- Invalid use of standard library memory routine
- Possible misuse of sizeof
- Buffer overflow from incorrect string format specifier
- Invalid use of standard library string routine
- Destination buffer overflow in string manipulation
- Destination buffer underflow in string manipulation
Rule partially covered.
2840, 2841, 2842, 2843, 2845, 2846,
2847, 2848, 2935, 2936, 2937, 2938
2840, 2841, 2842, 2843, 2845, 2846,
2847, 2848, 2935, 2936, 2937, 2938
| Include Page | ||||
|---|---|---|---|---|
|
| Include Page | ||||
|---|---|---|---|---|
|
Related Vulnerabilities
CVE-2016-2208 results from a violation of this rule. The attacker can supply a value used to determine how much data is copied into a buffer via memcpy(), resulting in a buffer overlow of attacker-controlled data.
...
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| C Secure Coding Standard | API00-C. Functions should validate their parameters | Prior to 2018-01-12: CERT: Unspecified Relationship |
| C Secure Coding Standard | ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array | Prior to 2018-01-12: CERT: Unspecified Relationship |
| C Secure Coding Standard | INT30-C. Ensure that unsigned integer operations do not wrap | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961:2013 | Forming invalid pointers by library functions [libptr] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Buffer Boundary Violation (Buffer Overflow) [HCB] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Unchecked Array Copying [XYW] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | 2017-05-18: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-121, Stack-based Buffer Overflow | 2017-05-18: CERT: Partial overlap |
| CWE 2.11 | CWE-123, Write-what-where Condition | 2017-05-18: CERT: Partial overlap |
| CWE 2.11 | CWE-125, Out-of-bounds Read | 2017-05-18: CERT: Partial overlap |
| CWE 2.11 | CWE-805, Buffer Access with Incorrect Length Value | 2017-05-18: CERT: Partial overlap |
| CWE 3.1 | CWE-129, Improper Validation of Array Index | 2017-10-30:MITRE:Unspecified Relationship 2018-10-18:CERT:Partial Overlap |
CERT-CWE Mapping Notes
Key here for mapping notes
...
- Arbitrary writes that do not involve standard C library functions
CWE-129 and ARR38-C
ARR38-C -CWE-129 = making library functions create invalid pointers without using untrusted data.
...