SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 53 Next »

Variable length arrays (VLA) are essentially the same as traditional C arrays, the major difference being they are declared with a size that is not a constant integer expression. A variable length array can be declared as follows:

char vla[s];

The above statement is evaluated at runtime, allocating storage for s characters in stack memory. If a size argument supplied to VLAs is not a positive integer value of reasonable size, then the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 06]. The programmer must ensure that size arguments to VLAs are valid and have not been corrupted as the result of an exceptional integer condition.

Non-Compliant Code Example

In this example, a VLA of size s is declared. In accordance with recommendation INT01-A. Use size_t for all integer values representing the size of an object, s is of type size_t, as it is used to specify the size of an object. However, it is unclear whether the value of s is a valid size argument. Depending on how VLAs are implemented, s may be interpreted as a negative value or a very large positive value. In either case, this may result in a security vulnerability.

void func(size_t s) {
  int vla[s];
  /* ... */
}
/* ... */
func(size);
/* ... */

Compliant Code Solution

Validate size arguments used in VLA declarations. The solution below ensures the size argument, s, used to allocate vla is in a valid range: 1 to a user defined constant.

#define MAX_ARRAY 1024

void func(size_t s) {
   int vla[s];
   /* ... */
}

/* ... */
if (s < MAX_ARRAY && s != 0) {
   func(s);
} 
else {
   /* Handle Error */
}
/* ... */

Implementation Details

Variable length arrays are not supported by Microsoft compilers.

Risk Assessment

Failure to properly specify the size of a variable length array may allow arbitrary code execution.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR32-C

3 (high)

1 (unlikely)

1 (high)

P3

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Griffiths 06]]

  • No labels