Variable length arrays (VLA) are basically the same as traditional C arrays, the major difference being they are declared with a size that is not a constant integer expression. A variable length array can be declared as follows:
char vla[s];
The above statement is evaluated at runtime allocating storage for scharacters on the stack. If a size argument supplied to VLAs is not a positive integer value of reasonable size, then the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data (Feline 1). The programmer must ensure that size arguments to VLAs are valid and have not been corrupted as the result of an exceptional integer condition.
Non-Compliant Example
In this example, a VLA of size s is declared with s being type size_t. However, it is unclear whether or not s is a valid size argument. Depending on how VLAs are implemented s may be interpreted as a negative value or a very large value. In either case, this may result in a security vulnerability.
void func(size_t s) {
vla[s];
...
}
...
func(size);
...
Compliant Solution
Validate size arguments used in VLA declarations. The following example corrects security issue in the example above by testing the size argument to assure it is in a valid range, 0 to a user defined constant.
#define MAX_ARRAY 1024
void func(size_t s) {
vlas;
...
}
...
if (size < MAX_ARRAY && size != 0)
func(size);
} else {
/* Handle Error*/
}
References
Feline 1: http://felinemenace.org/papers/p63-0x0e_Shifting_the_Stack_Pointer.txt