Risk Assessment Summary
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT30-C | High | Likely | High | P9 | L2 |
INT31-C | High | Probable | High | P6 | L2 |
INT32-C | High | Likely | High | P9 | L2 |
INT33-C | Low | Likely | Medium | P6 | L2 |
INT34-C | Low | Unlikely | Medium | P2 | L3 |
INT35-C | Low | Unlikely | Medium | P2 | L3 |
INT36-C | Low | Probable | High | P2 | L3 |
Related Rules and Recommendations
|
|
4 Comments
John McDonald
Not sure where this should go, but you might want to mention arithmetic right shift as it can surprise people. We talk about it on page 273 of TAOSSA. Basically if the left operand of a right shift is signed, an arithmetic shift is performed, and the sign bit can be propagated as the number is shifted. So, you could have something like this:
If number was 0x80000000, number >> 24 would be 0xFFFFFF80, thus overflowing buf.
For bit extraction, one remediation is to use the idiom ((number >> 24) & 0xff). However, you really probably want to make sure that you're not right-shifting signed integers unless you expect arithmetic shift.
Robert Seacord
I've added this as:
INT13-A. Do not assume that a right shift operation is implemented as a logical or an arithmetic shift
Thanks!
Martin Sebor
A common vulnerability that I haven't seen explicitly called out in any of the rules in this section is calling the Character classification functions with an argument of type
char
in environments wherechar
is a signed type. For example, the following program may exhibit undefined behavior when the value of the character argument passed totoupper()
is negative:The safe way to write the same function is like so:
Martin Sebor
I should have searched the site. This problem is already covered in STR37-C.