Information for Editors
To have a new guideline automatically listed above be sure to label it int and rule.

Risk Assessment Summary

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

INT30-CHighLikelyHigh

P9

L2

INT31-CHighProbableHigh

P6

L2

INT32-CHighLikelyHigh

P9

L2

INT33-CLowLikelyMedium

P6

L2

INT34-CLowUnlikelyMedium

P2

L3

INT35-CLowUnlikelyMedium

P2

L3

INT36-CLowProbableHigh

P2

L3

Related Rules and Recommendations


4 Comments

  1. Not sure where this should go, but you might want to mention arithmetic right shift as it can surprise people. We talk about it on page 273 of TAOSSA. Basically if the left operand of a right shift is signed, an arithmetic shift is performed, and the sign bit can be propagated as the number is shifted. So, you could have something like this:

    int print_high_byte(int number){    char buf[sizeof("256")];    sprintf(buf, "%u", number >> 24);        ...
    

     If number was 0x80000000, number >> 24 would be 0xFFFFFF80, thus overflowing buf.

    For bit extraction, one remediation is to use the idiom ((number >> 24) & 0xff). However, you really probably want to make sure that you're not right-shifting signed integers unless you expect arithmetic shift.

    1. I've added this as:

      INT13-A. Do not assume that a right shift operation is implemented as a logical or an arithmetic shift

      Thanks!

  2. A common vulnerability that I haven't seen explicitly called out in any of the rules in this section is calling the Character classification functions with an argument of type char in environments where char is a signed type. For example, the following program may exhibit undefined behavior when the value of the character argument passed to toupper() is negative:

    int strcasecmp(const char *s1, const char *s2) {
        int result;
        for (; (0 == (result = (toupper(*s1) - toupper(*s2)))) && *s1; ++s1, ++s2);
        return result;
    }
    

    The safe way to write the same function is like so:

    int strcasecmp(const char *s1, const char *s2) {
        int result;
        for (; (0 == (result = (toupper((unsigned char)*s1) - toupper((unsigned char)*s2)))) && *s1; ++s1, ++s2);
        return result;
    }
    
  3. I should have searched the site. This problem is already covered in STR37-C.