...
Type alignment requirements can also affect the size of structures. For example, the size of the following structure is implementation-defined:
| Code Block |
|---|
struct s {
int i;
double d;
};
|
Assuming 32-bit integers and 64-bit doubles, for example, the size can range from 12 or 12 to 16 bytes, depending on alignment rules.
...
This noncompliant code example attempts to declare a two-dimensional array of integers with variable length rows. On a platform with 64-bit integers, the loop will access memory outside the allocated memory section.
| Code Block | ||||
|---|---|---|---|---|
| ||||
int f(void) { /* assumingAssuming 32-bit pointer, 32-bit integer */ size_t i; int **matrix = (int **)calloc(100, 4); if (matrix == NULL) { return -1; /* handle errorIndicate calloc() failure */ } for (i = 0; i < 100; i++) { matrix[i] = (int *)calloc(i, 4); if (matrix[i] == NULL) { return -1; /* handle errorIndicate calloc() failure */ } } return 0; } |
Compliant Solution
This compliant solution replaces the hard-coded value 4 with sizeof(int *).:
| Code Block | ||||
|---|---|---|---|---|
| ||||
int f(void) { size_t i; int **matrix = (int **)calloc(100, sizeof(*matrix)); if (matrix == NULL) { return -1; /* handle errorIndicate calloc() failure */ } for (i = 0; i < 100; i++) { matrix[i] = (int *)calloc(i, sizeof(**matrix)); if (matrix[i] == NULL) { return -1; /* handle errorIndicate calloc() failure */ } } return 0; } |
Also see MEM02-C. Immediately cast the result of a memory allocation function call into a pointer to the allocated type for a discussion on the use of the sizeof operator with memory allocation functions.
Exceptions
EXP09-C-EX1: C99 explicitly The C Standard explicitly declares sizeof(char) == 1. So , so any sizes based on characters or character arrays may be evaluated without using sizeof. This does not apply to char* or any other data types.
...
Porting code with hard-coded sizes can result in a buffer overflow or related vulnerability.
Recommendation | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level |
|---|---|---|
EXP09-C | High |
Unlikely |
No |
Yes | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| alloc-without-sizeof | Partially checked | ||||||
| Compass/ROSE |
...
Can detect violations of this recommendation. In particular, it looks for the size argument of |
...
and flags when it does not find a |
...
; in this case a string is being allocated, and | |||||||||
| ECLAIR |
| CC2.EXP09 | Can detect violations of this recommendation. In particular, it considers when the size of a type is used by malloc(), calloc() or realloc() and flags these functions if either the size argument does not use a sizeof operator, or the size argument uses sizeof, but the type of the returned value is not a pointer to the type of the argument to sizeof. It does not flag if the returned value is assigned to a char * | ||||||
| Helix QAC |
| C0701 | |||||||
| LDRA tool suite |
| 201 S | Partially implemented | ||||||
| CERT C: Rec. EXP09-C | Checks for hard-coded object size used to manipulate memory (rec. fully covered) | |||||||
| RuleChecker |
| alloc-without-sizeof | Partially checked | ||||||
| Security Reviewer - Static Reviewer |
| C38 C39 C40 C42 C44 C45 C46 C46 | Fully implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
...
Related Guidelines
...
...
...
References
| Wiki Markup |
|---|
\[[ISO/IEC 9899:1999|AA. References#ISO/IEC 9899-1999]\] Section 6.2.6, "Representations of types," and Section 6.5.3.4, "The sizeof operator"
\[[MITRE|AA. References#MITRE]\] [CWE ID 805|http://cwe.mitre.org/data/definitions/805.html], "Buffer Access with Incorrect Length Value" |
...