Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
According to \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\],

The size of a structure is not always equal to the sum of the sizes of its members. Subclause 6.7.2.1 of the C Standard states, "There may be unnamed padding within a structure object, but not at its beginning" [ISO/IEC 9899:2011].

This is often referred to as unnamed padding is often called structure padding. Structure members are arranged in memory as they are declared in the program text. Padding may be added to the structure to ensure the structure is properly aligned in memory. Structure padding allows for faster member access on many architectures.

Rearranging the fields in a struct can change the size of the struct. It is possible to minimize padding anomalies if the fields are arranged in such a way that fields of the same size are grouped together.

Padding is also called struct member alignment. Many compilers provide a flag that controls how the members of a structure are packed into memory. Modifying this flag may cause the size of the structures to vary. Most compilers also include a keyword that removes all padding; the resulting structures are called packed structures.

...

Overriding the default behavior is often unwise because it leads to interface compatibility problems (the nominally same struct has its layout interpreted differently in different modules).

Noncompliant Code Example

The example below, is inspired by Dowd, This noncompliant code example assumes that the size of struct buffer is equal to the sum of the sizeof(size_t) + (sizeof(char) * 50)size of its individual components, which may be incorrectnot be the case [Dowd 2006]. The size of struct buffer may actually be a larger due to because of structure padding.

Code Block
bgColor#FFcccc
langc
enum { buffer_size = 50 };

struct buffer {
    size_t size;
    char bufferC[buffer[50_size];
};

/* ... */

void func(const struct buffer *buf) {

  /* assuming
   * Incorrectly assumes sizeof(size_tstruct buffer) is 4,=
   * sizeof(size_t) + sizeof(charbufferC)*50
 equals 54  */
  struct buffer *buf_cpy = (struct buffer *)malloc(
    sizeof(size_t) + (buffer_size * sizeof(char)*50) /* 1 */)
  );

  if (buf_cpy == NULL) {
    /* Handle malloc() error */
  }

  .../* 
 /  * withWith padding, sizeof(struct buffer) may be greater than 54, causing in a small buffer overflow 
   * sizeof(size_t) + sizeof(buff.bufferC), causing some data  
   * to be written outside the bounds of the memory allocated.
   */
  memcpy(buf_cpy, buf, sizeof(struct buffer));

  /* ... */

  free(buf_cpy);
}

Compliant Solution

Accounting for structure padding prevents these types of errors.:

Code Block
bgColor#ccccff
langc
enum { buffer_size = 50 };

struct buffer {
    size_t size;
    char bufferC[buffer[50_size];
};

/* ... */

void func(const struct buffer *buf) {

  struct buffer *buf_cpy = 
    (struct buffer *)malloc((sizeof(struct buffer));

  if (buf_cpy == NULL) {
    /* Handle malloc() error */
  }

  /* ... */

  memcpy(buf_cpy, buf, sizeof(struct buffer));

  /* ... */

  free(buf_cpy);
}

References

...

Risk Assessment

Failure to correctly determine the size of a structure can lead to subtle logic errors and incorrect calculations, the effects of which can lead to abnormal program termination, memory corruption, or execution of arbitrary code.

Recommendation

Severity

Likelihood

Detectable

Repairable

Priority

Level

EXP03-C

High

Unlikely

No

No

P3

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported: Astrée reports accesses outside the bounds of allocated memory.
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0697
LDRA tool suite
Include Page
LDRA_V
LDRA_V

578 S

Enhanced enforcement

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec EXP03-C

Checks for incorrectly computed struct size (rec. fully covered).

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

[Dowd 2006]Chapter 6, "C Language Issues" ("Structure Padding," pp. 284–287)
[ISO/IEC 9899:2011]Subclause 6.7.2.1,

...

"Structure

...

and Union Specifiers"
[Sloss 2004]Section 5.7, "Structure Arrangement"


...

Image Added Image Added Image Added

...