SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 171

changes.mady.by.user Swasti Shrivastava

Saved on

compared with

New Version Current

changes.mady.by.user Francesco Mariani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

where the integer expression size and the declaration of vla are both evaluated at runtime. If the size argument supplied to a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 7572.)  Additionally, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable length arrays, especially those derived from untrusted data, are in a valid range.

Because variable length arrays are a conditionally supported feature of C11, their use in portable code should be guarded by testing the value of the macro __STDC_NO_VLA__. Implementations that do not support variable length arrays indicate it by setting __STDC_NO_VLA__ to the integer constant 1.

Noncompliant Code Example

In this noncompliant code example, a variable length array of size size is declared. The size is declared as size_t in compliance with INT01-C. Use rsizesize_t or sizersize_t for all integer values representing the size of an object.

Code Block
bgColor#FFCCCC
langc
#include <stddef.h>

extern void do_work(int *array, size_t size);
 
void func(size_t size) {
  int vla[size];
  do_work(vla, size);
}

...

Failure to properly specify the size of a variable length array may allow arbitrary code execution or result in stack exhaustion.

Rule

Severity

Likelihood

Detectable

Remediation CostRepairable

Priority

Level

ARR32-C

High

Probable

No

NoHigh

P6

L2

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.SIZE.IOFLOW
ALLOC.SIZE.MULOFLOW
MISC.MEM.SIZE.BAD

Integer Overflow of Allocation Size
Multiplication Overflow of Allocation Size
Unreasonable Size Argument

Coverity
Include Page
Coverity_V
Coverity_V
REVERSE_NEGATIVEFully implemented
Cppcheck

Include Page
Cppcheck_V
Cppcheck_V

negativeArraySizeContext sensitive analysis
Will warn only if given size is negative


Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

negativeArraySize

premium-cert-arr32-c

Context sensitive analysis
Will warn only if given size is negative


Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C1051
Klocwork
Include Page
Klocwork_V
Klocwork_V

MISRA.ARRAY.VAR_LENGTH.2012


LDRA tool suite
 
Include Page
LDRA_V
LDRA_V
621 SEnhanced enforcement
Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-ARR32-a

Ensure the size of the variable length array is in valid range

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

9035

Assistance provided

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule ARR32-C

Checks for:

  • Memory allocation with tainted size
  • Tainted size of variable length array

Rule fully covered.

Security Reviewer - Static Reviewer

6.02

C101

Fully Implemented

TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

alloca_boundsExhaustively verified.

...