Integer values used as a size argument to malloc(), calloc(), or realloc() can be manipulated by an attacker to cause a buffer overflow. Inadequate range checking, integer overflow, or truncation can result in the allocation of an inadequately sized buffer. The programmer must ensure that size arguments to memory allocation functions allocates sufficient memory.
Non-Compliant Code Example
In this non-compliant code example, cBlocks is multiplied by 16 and the result is stored in the unsigned long long int alloc.
void* AllocBlocks(size_t cBlocks) {
if (cBlocks == 0) return NULL;
unsigned long long alloc = cBlocks * 16;
return (alloc < UINT_MAX)
? malloc(cBlocks * 16)
: NULL;
}
If size_t is represented as a 32-bit unsigned value and unsigned long long represented as a 64-bit unsigned value, for example, the result of this multiplication can still overflow because the actual multiplication is a 32-bit operation. As a result, the value stored in alloc will always be less than UINT_MAX.
If both size_t and unsigned long long types are represented as a 64-bit unsigned value, the result of the multiplication operation may not be representable as an unsigned long long value.
Compliant Solution
Make sure that integer values passed as size arguments to memory allocation functions are valid and have not been corrupted due to integer overflow, truncation, or sign error [[04. Integers (INT)]]. In the following example, the multsize_t() function multiples two values of type size_t and sets errno to a non-zero value if the resulting value cannot be represented as a size_t.
void *AllocBlocks(size_t cBlocks) {
size_t alloc;
if (cBlocks == 0) return NULL;
alloc = multsize_t(cBlocks, 16);
if (errno) {
return NULL;
}
else {
return malloc(alloc);
}
} /* end AllocBlocks */
Non-Compliant Code Example
In this non-compliant code example, the string referenced by str and the string length represented by len orginate from untrusted sources. The length is used to perform a memcpy() into the fixed size static array buf. The len variable is guaranteed to be less than BUFF_SIZE. However, because len is declared as an int it could have a negative value that would bypass the check. The memcpy() function implicitly converts len to an unsigned size_t type, and the resulting operation results in a buffer overflow.
int len;
char *str;
char buf[BUFF_SIZE];
...
if (len < BUFF_SIZE){
memcpy(buf, str, len);
}
...
Compliant Solution
In this compliant solution, len is declared as a size_t to there is no possibility of this variable having a negative value and bypassing the range check.
size_t len;
char *str;
char buf[BUFF_SIZE];
...
if (len < BUFF_SIZE){
memcpy(buf, str, len);
}
...
Risk Assessment
Providing invalid size arguments to memory allocation functions can lead to buffer overflows and the execution of arbitrary code with the permissions of the vulnerable process.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MEM35-C |
3 (high) |
2 (probable) |
1 (high) |
P6 |
L2 |
References
[[ISO/IEC 9899-1999]] Section 7.20.3, "Memory Management Functions"
[[Seacord 05]] Chapter 4, "Dynamic Memory Management"; Chapter 5, "Integer Security"