Integer values that originate from untrusted sources must be guaranteed correct if they are used in any of the following ways:
- as an array index
- in any pointer arithmetic
- as a length or size of an object
- as the bound of an array (for example, a loop counter)
- as an argument to a memory allocation function
- in security critical code
Integer values can be invalidated due to exceptional conditions such as overflow, truncation, or sign error leading to exploitable vulnerabilities. Failure to provide proper range checking can also lead to exploitable vulnerabilities.
Recommendations
INT00-A. Understand the data model used by your implementation(s)
INT01-A. Use rsize_t or size_t for all integer values representing the size of an object
INT02-A. Understand integer conversion rules
INT03-A. Use a secure integer library
INT04-A. Enforce limits on integer values originating from untrusted sources
INT06-A. Use strtol() or a related function to convert a string token to an integer
INT07-A. Use only explicitly signed or unsigned char type for numeric values
INT08-A. Verify that all integer values are in range
INT09-A. Ensure enumeration constants map to unique values
INT10-A. Do not make assumptions about the sign of the remainder when using the % operator
INT11-A. Do not make assumptions about the layout of bit-field structures
INT12-A. Do not make assumptions about the type of a plain int bit-field when used in an expression
INT14-A. Avoid performing bitwise and arithmetic operations on the same data
INT15-A. Take care when converting from pointer to integer or integer to pointer
Rules
INT30-C. Ensure that unsigned integer operations do not wrap
INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data
INT32-C. Ensure that operations on signed integers do not result in overflow
INT33-C. Ensure that division and modulo operations do not result in divide-by-zero errors
INT34-C. Arguments to character handling functions must be representable as an unsigned char
INT35-C. Evaluate integer expressions in a larger size before comparing or assigning to that size
INT36-C. Do not shift a negative number of bits or more bits than exist in the operand
Risk Assessment Summary
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
INT00-A |
1 (low) |
1 (unlikely) |
1 (high) |
P1 |
L3 |
INT01-A |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
INT02-A |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
INT03-A |
2 (medium) |
2 (probable) |
1 (high) |
P4 |
L3 |
INT04-A |
1 (low) |
2 (probable) |
1 (high) |
P2 |
L3 |
INT05-A |
2 (medium) |
2 (probable) |
1 (high) |
P2 |
L3 |
INT06-A |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
INT07-A |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
INT08-A |
2 (medium) |
2 (probable) |
1 (high) |
P4 |
L3 |
INT09-A |
1 (low) |
1 (unlikely) |
3 (low) |
P3 |
L3 |
INT10-A |
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
INT11-A |
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
INT12-A |
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
INT13-A |
3 (high) |
1 (unlikely) |
2 (medium) |
P6 |
L2 |
INT14-A |
2 (medium) |
1 (unlikely) |
2 (medium) |
P4 |
L3 |
INT15-A |
1 (low) |
2 (probable) |
1 (high) |
P2 |
L3 |
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
INT30-C |
3 (high) |
3 (likely) |
1 (high) |
P9 |
L2 |
INT31-C |
3 (high) |
2 (probable) |
1 (high) |
P6 |
L2 |
INT32-C |
3 (high) |
3 (likely) |
1 (high) |
P9 |
L2 |
INT33-C |
1 (low) |
2 (probable) |
2 (medium) |
P4 |
L3 |
INT35-C |
3 (high) |
3 (likely) |
2 (medium) |
P18 |
L1 |
INT36-C |
3 (high) |
2 (probable) |
2 (medium) |
P12 |
L1 |
EXP39-C. Avoid side effects in assertions 03. Expressions (EXP) INT00-A. Understand the data model used by your implementation(s)