Risk Assessment Summary
Related Rules and Recommendations
Not sure where this should go, but you might want to mention arithmetic right shift as it can surprise people. We talk about it on page 273 of TAOSSA. Basically if the left operand of a right shift is signed, an arithmetic shift is performed, and the sign bit can be propagated as the number is shifted. So, you could have something like this:
If number was 0x80000000, number >> 24 would be 0xFFFFFF80, thus overflowing buf.
For bit extraction, one remediation is to use the idiom ((number >> 24) & 0xff). However, you really probably want to make sure that you're not right-shifting signed integers unless you expect arithmetic shift.
I've added this as:
INT13-A. Do not assume that a right shift operation is implemented as a logical or an arithmetic shift
A common vulnerability that I haven't seen explicitly called out in any of the rules in this section is calling the Character classification functions with an argument of type
charin environments where
charis a signed type. For example, the following program may exhibit undefined behavior when the value of the character argument passed to
The safe way to write the same function is like so:
I should have searched the site. This problem is already covered in STR37-C.