You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

The offsetof() macro is defined by the C Standard as a portable way to determine the offset, expressed in bytes, from the start of the object to a given member of that object. The C Standard, 7.17, paragraph 3 [ISO/IEC 9899:1999], specifies, in part:

offsetof(type, member-designator) which expands to an integer constant expression that has type size_t, the value of which is the offset in bytes, to the structure member (designated by member-designator), from the beginning of its structure (designated by type). The type and member designator shall be such that given static type t; then the expression &(t.member-designator) evaluates to an address constant. (If the specified member is a bit-field, the behavior is undefined.)

The C++ Standard, [support.types], paragraph 4 [ISO/IEC 14882-2014], places additional restrictions beyond those set by the C standard:

The macro offsetof(type, member-designator) accepts a restricted set of type arguments in this International Standard. If type is not a standard-layout class, the results are undefined. The expression offsetof(type, member-designator) is never type-dependent and it is value-dependent if and only if type is dependent. The result of applying the offsetof macro to a field that is a static data member or a function member is undefined. No operation invoked by the offsetof macro shall throw an exception and noexcept(offsetof(type, member-designator)) shall be true.

When specifying the type argument for the offsetof() macro, only pass a standard-layout class. The full description of a standard-layout class can be found in Clause 9 of the C++ standard, or the type can be checked with the std::is_standard_layout<> type trait. When specifying the member designator argument for the offsetof() macro, do not pass a bit-field, static data member, or function member. Passing an invalid type or member to the offsetof() macro is undefined behavior.

Noncompliant Code Example

In this noncompliant code example, a type that is not a standard-layout class passed to the offsetof() macro, resulting in undefined behavior:

#include <cstddef>
 
struct D {
  virtual void f() {}
  int i;
};
 
void f() {
  size_t off = offsetof(D, i);
  // ...
}

Implementation Details

The noncompliant code example compiles without emitting a diagnostic when compiled with the /Wall switch in Microsoft Visual Studio 2013 on x86, resulting in off being 4, likely due to the presence of a vtable for type D.

Compliant Solution

It is not possible to determine the offset to i within D because D is not a standard-layout class. However, it is possible to make a standard-layout class within D if this functionality is critical to the application, as demonstrated in this compliant solution:

#include <cstddef>

struct D {
  virtual void f() {}
  struct InnerStandardLayout {
    int i;
  } Inner;
};

void f() {
  size_t off = offsetof(D::InnerStandardLayout, i);
  // ...
}

Noncompliant Code Example

In this noncompliant code example, the offset to i is calculated so that a value can be stored at that offset within buffer. However, because i is a static data member of the class, this results in undefined behavior. According to the C++ Standard, [class.static.data], paragraph 1 [ISO/IEC 14882-2014], static data members are not part of the subobjects of a class.

#include <cstddef>
 
struct S {
  static int i;
  // ...
};
int S::i = 0;
 
extern void store_in_some_buffer(void *buffer, size_t offset, int val);
extern void *buffer;
 
void f() {
  size_t off = offsetof(S, i);
  store_in_some_buffer(buffer, off, 42);
}

Implementation Details

The noncompliant code example compiles without emitting a diagnostic when compiled with the /Wall switch in Microsoft Visual Studio 2013 on x86, resulting in off being a large value, likely representing the offset between the null pointer adddress 0 and the address of the static variable S::i.

Compliant Solution

Since static data members are not a part of the class layout, but are instead an entity of their own, this compliant solution passes the address of the static member variable as the buffer to store the data into, and passes 0 as the offset.

#include <cstddef>
 
struct S {
  static int i;
  // ...
};
int S::i = 0;
 
extern void store_in_some_buffer(void *buffer, size_t offset, int val);
 
void f() {
  store_in_some_buffer(&S::i, 0, 42);
}

Risk Assessment

Passing an invalid type or member to offsetof() can result in undefined behavior that might be exploited to cause data integrity violations, or result in values from the macro expansion that are incorrect.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP59-CPP

Medium

Unlikely

Medium

P4

L3 

Automated Detection 

Tool

Version

Checker

Description

Clang3.9
-Winvalid-offsetof
Emits an error diagnostic on invalid member designators, and emits a warning diagnostic on invalid types
GCC
4.9

 

-Winvalid-offsetof
Emits an error diagnostic on invalid member designators, and emits a warning diagnostic on invalid types

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

  

Bibliography

[ISO/IEC 9899:1999]7.17, "Common Definitions <stddef.h>"
[ISO/IEC 14882-2014]18.2, "Types"
9.4.2, "Static Data Members" 

 


 

   

  • No labels