...
Some operators (the unary operator ~ , and the binary operators <<, >>, &, ^, and |, collectively described as bitwise operators) shall have operands that have integral type. These operators return values that depend on the internal representations of integers, and thus have implementation-defined and undefined aspects for signed types.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
int rc = 0;
unsigned int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", stringify >> 24);
if (rc == -1 || rc >= sizeof(buf)) {
/* Handle error */
} |
...
/ |
...
Noncompliant Code Example (enum)
In this noncompliant code example, initializer expressions for all enumeration constants in the enum attrib_mask are unsigned integers. However, the C Standard says (section 6.4.4.3, paragraph 2 [ISO/IEC 9899:2011]) that enumeration constants have type int. The bitwise OR is applied to signed integers which is implementation-defined.
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum attrib_mask { POINT_BIT = 0x02U, LINE_BIT = 0x04U }; unsigned int mask = (POINT_BIT | LINE_BIT); |
Compliant Solution (enum)
One solution is to cast the enumeration constants to an unsigned type to eliminate any possible implementation-defined behavior. The initializer expressions and enumeration constants have type int:
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum attrib_mask
{
POINT_BIT = 2,
LINE_BIT = 4
};
unsigned int mask = ((unsigned int)POINT_BIT | (unsigned int)LINE_BIT); |
Exceptions
INT13-C-EX1: When used as bit flags, it is acceptable to use preprocessor macros or enumeration constants as arguments to the & and | operators even if the value is not explicitly declared as unsigned.
| Code Block | ||||
|---|---|---|---|---|
| ||||
fd = open(file_name, UO_WRONLY | UO_CREAT | UO_EXCL | UO_TRUNC, 0600); |
INT13-C-EX2: If the right-side operand to a shift operator is known at compile time, it is acceptable for the value to be represented with a signed type provided it is positive.
...
Performing bitwise operations on signed numbers can lead to buffer overflows and the execution of arbitrary code by an attacker in some cases, unexpected or implementation-defined behavior in others.
Recommendation | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level | |
|---|---|---|---|
INT13-C | High | Unlikely | Yes |
No | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| bitop-type | Fully checked | ||||||
| Axivion Bauhaus Suite |
| CertC-INT13 | |||||||
| CodeSonar |
| LANG.TYPE.IOT | Inappropriate operand type | ||||||
| Compass/ROSE |
Can detect violations of this rule. In particular, it flags bitwise operations that involved variables not declared with | |||||||||
| CC2.INT13 | Fully implemented |
5.0
| Helix QAC |
| C4532, C4533, C4534, C4543, C4544 | |||||||
| Klocwork |
| MISRA.BITS.NOT_UNSIGNED MISRA.BITS.NOT_UNSIGNED.PREP |
| LDRA tool suite |
| 50 S | Fully implemented | ||||||
| Parasoft C/C++test |
| CERT_C-INT13-a CERT_C-INT13-b | Operands of bitwise and complement operators shall have an unsigned type Operands of shift operators shall have an unsigned type | |||||||
| PC-lint Plus |
| 9233 | Partially supported: reports use of a bitwise operator on an expression with a signed MISRA C 2004 underlying type | ||||||
| Checks for bitwise operation on negative value (rec. fully covered) | ||||||||
| RuleChecker |
| bitop-type | Fully checked | ||||||
| SonarQube C/C++ Plugin |
|
| Splint |
|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | VOID INT13-CPP. Use bitwise operators only on unsigned operands |
| ISO/IEC TR 24772:2013 | Bit Representations [STR] Arithmetic Wrap-around Error [FIF] Sign Extension Error [XZI] |
| MITRE CWE | CWE-682, Incorrect calculation |
Bibliography
| [Dowd 2006] | Chapter 6, "C Language Issues" |
| [C99 Rationale 2003] | Subclause 6.5.7, "Bitwise Shift Operators" |
...
...