Variable length arrays (VLA) are essentially the same as traditional C arrays, the major difference being they are declared with a size that is not a constant integer expression. A variable length array can be declared as follows:
char vla[s];
The above statement is evaluated at runtime allocating storage for scharacters in stack memory. If a size argument supplied to VLAs is not a positive integer value of reasonable size, then the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data (Feline 1). The programmer must ensure that size arguments to VLAs are valid and have not been corrupted as the result of an exceptional integer condition.
Non-Compliant Example
In this example, a VLA of size s is declared. In accordance with Recommendation INT01-A. Use size_t for all integer values representing the size of an object, s is of type size_t as it is used to specify the size of an object. However, it is unclear whether or not the value of s is a valid size argument. Depending on how VLAs are implemented s may be interpreted as a negative value or a very large value. In either case, this may result in a security vulnerability.
void func(size_t s) {
vla[s];
...
}
...
func(size);
...
Compliant Solution
Validate size arguments used in VLA declarations. The solution below ensures the size argument, s, supplied to allocate vla is in a valid range: 0 to a user defined constant.
#define MAX_ARRAY 1024
void func(size_t s) {
vla[s];
...
}
...
if (size < MAX_ARRAY && size != 0) {
func(size);
} else {
/* Handle Error */
}
...
References
Feline 1: http://felinemenace.org/papers/p63-0x0e_Shifting_the_Stack_Pointer.txt