...
However, this rule is applicable only in only in cases where the character data may contain values that can be interpreted misinterpreted as negative numbers. For example, if the char type is represented by a two's complement 8-bit value, any character value greater than +127 is interpreted as a negative value.
...
This noncompliant code example is taken from a vulnerability in bash versions 1.14.6 and earlier that led to the release of CERT Advisory CA-1996-22. This vulnerability resulted from the sign extension of character data referenced by the c_str pointer in the yy_string_get() function in the parse.y module of the bash source code,:
| Code Block | ||||
|---|---|---|---|---|
| ||||
static int yy_string_get(void) {
register char *c_str;
register int c;
c_str = bash_input.location.string;
c = EOF;
/* If the string doesn't exist or is empty, EOF found */
if (c_str && *c_str) {
c = *c_str++;
bash_input.location.string = c_str;
}
return (c);
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <limits.h>
#include <stddef.h>
static const char table[UCHAR_MAX + 1] = { 'a' /* ... */ };
ptrdiff_t first_not_in_table(const char *c_str) {
for (const char *s = c_str; *s; ++s) {
if (table[(unsigned int)*s] != *s) {
return s - c_str;
}
}
return -1;
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <limits.h>
#include <stddef.h>
static const char table[UCHAR_MAX + 1] = { 'a' /* ... */ };
ptrdiff_t first_not_in_table(const char *c_str) {
for (const char *s = c_str; *s; ++s) {
if (table[(unsigned char)*s] != *s) {
return s - c_str;
}
}
return -1;
}
|
Exceptions
STR34-C-EX1: This rule only applies to characters that are to be treated as unsigned chars for some purpose, such as being passed to the isdigit() function. Characters that hold small integer values for mathematical purposes need not comply with this rule.
Risk Assessment
Conversion of character data resulting in a value in excess of UCHAR_MAX is an often-missed error that can result in a disturbingly broad range of potentially severe vulnerabilities.
Rule | Severity | Likelihood |
|---|
Detectable | Repairable | Priority | Level |
|---|---|---|---|
STR34-C | Medium | Probable | Yes |
No | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| char-sign-conversion | Fully checked | ||||||
| Axivion Bauhaus Suite |
| CertC-STR34 | Fully implemented | ||||||
| CodeSonar |
| MISC.NEGCHAR | Negative Character Value | ||||||
| Compass/ROSE |
Can detect violations of this rule when checking for violations of INT07-C. Use only explicitly signed or unsigned char type for numeric values | |||||||||
| Coverity |
| MISRA C 2012 Rule 10.1 MISRA C 2012 Rule 10.2 MISRA C 2012 Rule 10.3 MISRA C 2012 Rule 10.4 | Implemented Essential type checkers | ||||||
| Cppcheck Premium |
| premium-cert-str34-c | |||||||
| CC2.STR34 | Fully implemented |
5.0
Can detect violations of this rule with CERT C Rule Pack
| GCC | 2.95 and later | Detects objects of type | |||||||
| Helix QAC |
| C2140, C2141, C2143, C2144, C2145, C2147, C2148, C2149, C2151, C2152, C2153, C2155 C++3051 | |||||||
| Klocwork |
| CXX.CAST.SIGNED_CHAR_TO_INTEGER | |||||||
| LDRA tool suite |
| 434 S | Partially implemented |
| Parasoft C/C++test |
| CERT_C-STR34-b | Cast characters to unsigned char before assignment to larger integer sizes | ||||||
| PC-lint Plus |
| 571 | Partially supported | ||||||
| CERT C: Rule STR34-C | Checks for misuse of sign-extended character value (rule fully covered) | |||||||
| RuleChecker |
| char-sign-conversion | Fully checked | ||||||
| TrustInSoft Analyzer |
| out of bounds read | Partially verified (exhaustively detects undefined behavior). |
Related Vulnerabilities
CVE-2009-0887 results from a violation of this rule. In Linux PAM (up to version 1.0.3), the libpam implementation of strtok() casts a (potentially signed) character to an integer for use as an index to an array. An attacker can exploit this vulnerability by inputting a string with non-ASCII characters, causing the cast to result in a negative index and accessing memory outside of the array [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| CERT C Secure Coding Standard | STR37-C. Arguments to character-handling functions must be representable as an unsigned char STR04-C. Use plain char for characters in the basic character set ARR30-C. Do not form or use out-of-bounds pointers or array subscripts |
| ISO/IEC TS 17961:2013 | Conversion of signed characters to wider integer types before a check for EOF [signconv] |
| MISRA-C:2012 | Rule 10.1 |
(required) Rule 10.2 (required) Rule 10.3 (required) Rule 10.4 (required) | |
| MITRE CWE | CWE-704, Incorrect Type Conversion or Cast |
Bibliography
...
...