SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 26

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

Code Block
bgColor#FFCCCC
langc
int (*log_fn)(const char *, ...) = printf;
/* ... */
log_fn("foo");

If a vulnerability exists in this program that allows an attacker to overwrite the log_fn function pointer, such as a buffer overflow or arbitrary memory write, the attacker may be able to overwrite the value of printf with the location of an arbitrary function.

...

Code Block
bgColor#ccccff
langc
#include <Windows.h>
 
void *log_fn = EncodePointer(printf);
/* ... */
int (*fn)(const char *, ...) = (int (*)(const char *, ...))DecodePointer(log_fn);

fn("foo");

Note that DecodePointer() does not return success or failure.  If an attacker has overwritten the pointer contained in log_fn, the pointer returned will be invalid and cause your application to crash.  However, this is preferable to giving an attacker the ability to execute arbitrary code. 

Risk Assessment

Recommendation

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

WIN04-C

high

High

Unlikely

unlikely

No

low

No

P9

P3

L2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID MSC16-CPP. Consider encrypting function pointers
MITRE CWECWE-311, Missing encryption of sensitive data
CWE-319, Cleartext Transmission of Sensitive Information

Bibliography

[
AA. Bibliography#MSDN
MSDN]EncodePointer()
DecodePointer()

Microsoft Corporation 2012

Microsoft Security Development Lifecycle (SDL) – version 5.2Phase 3: Implementation

...


...

Image Modified Image Modified Image Modified