SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 61

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 62

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Noncompliant Code Example

Wiki MarkupThe Mozilla Scalable Vector Graphics (SVG) viewer contains a heap buffer overflow vulnerability resulting from an unsigned integer wrap during the multiplication of the {{signed int}} value {{pen->num_vertices}} and the {{size_t}} value {{sizeof(cairo_pen_vertex_t)}} \[ [VU#551436|AA. Bibliography#VU551436]\]. The {{signed int}} operand is converted to {{size_t}} prior to the multiplication operation so that the multiplication takes place between two {{size_t}} integers, which are unsigned. (See recommendation [INT02-C. Understand integer conversion rules|INT02-C. Understand integer conversion rules].)

Code Block
bgColor#FFcccc
langc
pen->num_vertices = _cairo_pen_vertices_needed(
  gstate->tolerance, radius, &gstate->ctm
);
pen->vertices = malloc(
  pen->num_vertices * sizeof(cairo_pen_vertex_t)
);

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

INT30-C

high

likely

high

P9

L2

Automated Detection

Tool

Version

Checker

Description

Section

Fortify SCA

Section

V. 5.0

 

Section

can detect violations of this rule with the CERT C Rule Pack

Section

Compass/ROSE

 

 

Section

can detect violations of this rule by ensuring that operations are checked for overflow before being performed. Be mindful of exception INT30-EX2 because it excuses many operations from requiring validation, including all the operations that would validate a potentially dangerous operation. For instance, adding two unsigned int's together requires validation involving subtracting one of the numbers from UINT_MAX, which itself requires no validation, as it cannot wrap

Related Vulnerabilities

Wiki Markup[CVE-2009-1385|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1385] results from a violation of this rule. The value performs an unchecked subtraction on the {{length}} of a buffer, and then adds that many bytes of data to another buffer \ [[xorl 2009|http://xorl .wordpress.com/2009/06/10/cve- 2009-1385-linux-kernel-e1000-integer-underflow/]\]. This can cause a buffer overflow, which allows an attacker to execute arbitrary code.unmigrated-wiki-markup

A Linux kernel vmsplice [exploit|BB. Definitions#exploit], described at \ [[Wojtczuk 2008|AA. Bibliography#Wojtczuk 08]\], documents a vulnerability and exploit arising from a buffer overflow (caused by unsigned integer wrapping).

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

MITRE CWE: CWE-190, "Integer Overflow (Wrap or Wraparound)"

Bibliography

...

\[[Dowd 2006|AA. Bibliography#Dowd 06] \] Chapter 6, "C Language Issues" (Arithmetic Boundary Conditions, pp. 211-223) \
[[Seacord 2005|AA. Bibliography#Seacord 05]\] Chapter 5, "Integers" \[
[Viega 2005|AA. Bibliography#Viega 05]\] Section 5.2.7, "Integer overflow" \
[[VU#551436|AA. Bibliography#VU551436]\] \[]
[Warren 2002|AA. Bibliography#Warren 02] \] Chapter 2, "Basics" \
[[Wojtczuk 2008|AA. Bibliography#Wojtczuk 08]\] \[[xorl 2009|AA. Bibliography#xorl 2009]\] []
[xorl 2009] "CVE-2009-1385: Linux kernel E1000 Integer Underflow"|http://xorl.wordpress.com/2009/06/10/cve-2009-1385-linux-kernel-e1000-integer-underflow/]

...

      04. Integers (INT)