| Content by Label | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Info |
|---|
Information for Editors |
Risk Assessment Summary
Rule | Severity | Likelihood | Detectable | Repairable | Priority | Level |
|---|---|---|---|---|---|---|
| INT30-C | High | Likely | No | No | P9 | L2 |
| INT31-C | High | Probable | No | Yes | P12 | L1 |
| INT32-C | High | Likely | No | Yes | P18 | L1 |
| INT33-C | Low | Likely | No | Yes | P6 | L2 |
| INT34-C | Low | Unlikely | No | Yes | P2 | L3 |
| INT35-C | Low | Unlikely | No | No | P1 | L3 |
| INT36-C | Low | Probable | Yes | No | P4 | L3 |
Related Rules and Recommendations
| Navigation Map | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
...
Integer values that originate from untrusted sources must be guaranteed correct if they are used in any of the following ways:
- as an array index
- in any pointer arithmetic
- as a length or size of an object
- as the bound of an array (for example, a loop counter)
- as an argument to a memory allocation function
- in security critical code
Integer values can be invalidated due to exceptional conditions such as overflow, truncation, or sign error leading to exploitable vulnerabilities. Failure to provide proper range checking can also lead to exploitable vulnerabilities.
Faced with an integer overflow, the underlying computer system may do one of two things: (a) signal some sort of error condition, or (b) produce an integer result that is within the range of representable integers on that system. The latter semantics may be preferable in some situations in that it allows the computation to proceed, thus avoiding a denial-of-service attack. However, it raises the question of what integer result to return to the user.
Below is set out definitions of two algorithms that produce integer results that are always within a defined range, namely between the integer values MIN and MAX (inclusive), where MIN and MAX are two representable integers with MIN < MAX. This method of producing integer results is called Verifiably-in-Range Integers. The two algorithms are Saturation and Modwrap, defined in the following two subsections.
Saturation Semantics
For saturation semantics, assume that the mathematical result of the computation is result. The value actually returned to the user is set out in the following table:
range of mathematical result | result returned |
|---|---|
| |
| |
| |
Modwrap Semantics
| Wiki Markup |
|---|
Modwrap semantics is where the integer values "wrap round" (also called _modulo_ arithmetic). That is, adding one to {{MAX}} produces {{MIN}}. This is the defined behavior for unsigned integers in the C Standard \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] (see Section 6.2.5, "Types", paragraph 9) and, very often, is the behavior of signed integers also. However, in many applications, it would be more sensible to use saturation semantics rather than modwrap semantics. For example, in the computation of a size (using unsigned integers), it is often better for the size to stay at the maximum value in the event of overflow, rather than suddenly becoming a very small value. |
Recommendations
INT00-A. Understand the data model used by your implementation(s)
INT01-A. Use size_t for all integer values representing the size of an object
INT02-A. Understand integer conversion rules
INT03-A. Use a secure integer library
INT04-A. Enforce limits on integer values originating from untrusted sources
INT05-A. Do not input integer values using scanf() or other formatted input functions
INT06-A. Use strtol() to convert a string token to an integer
INT07-A. Explicitly specify signed or unsigned for character types
INT08-A. Verify that all integer values are in range
INT09-A. Ensure enumeration constants map to unique values
INT10-A. Define integer constants as an enum value
INT11-A. Be careful converting small signed integers to larger unsigned integers
INT12-A. Do not make assumptions about the type of a bit-field when used in an expression
Rules
INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data
INT32-C. Ensure that integer operations do not result in an overflow
INT33-C. Ensure that division and modulo operations do not result in divide-by-zero errors
INT34-C. Ensure integer values are within valid ranges
INT35-C. Upcast integers before comparing or assigning to a larger integer size
INT36-C. Do not shift a negative number of bits or more bits than exist in the operand
INT37-C. Arguments to character handling functions must be representable as an unsigned char
Risk Assessment Summary
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
1 (low) | 1 (unlikely) | 1 (low) | P1 | L3 | |
2 (medium) | 2 (probable) | 2 (medium) | P8 | L2 | |
2 (medium) | 2 (probable) | 2 (medium) | P8 | L2 | |
2 (medium) | 2 (probable) | 1 (hig) | P4 | L3 | |
2 (medium) | 2 (probable) | 2 (medium) | P8 | L2 | |
1 (low) | 1 (unlikely) | 3 (low) | P3 | L3 | |
2 (medium) | 2 (probable) | 2 (medium) | P8 | L2 | |
3 (high) | 1 (probable) | 2 (medium) | P6 | L2 |
...
Rule
...
Severity
...
Likelihood
...
Remediation Cost
...
Priority
...
Level
...
...
3 (high)
...
2 (probable)
...
1 (high)
...
P6
...
L2
...
...
3 (high)
...
2 (probable)
...
1 (high)
...
P6
...
L2
...
...
2 (medium)
...
2 (probable)
...
2 (medium)
...
P8
...
L2
...
...
3 (high)
...
2 (probable)
...
1 (high)
...
P6
...
L2
...
...
3 (high)
...
3 (probable)
...
2 (medium)
...
P18
...
L1
...
...
2 (medium)
...
2 (probable)
...
2 (medium)
...
P8
...
L2
...
...
1 (low)
...
1 (unlikely)
...
3 (low)
...
P3
...