Use bitwise operators only on unsigned operands. Bitwise operators include the bitwise shift operators >> and <<, bitwise AND operator &, bitwise exclusive OR operator ^, and bitwise inclusive OR operator |.
Do not assume that a right shift operation is implemented as either an arithmetic (signed) shift or a logical (unsigned) shift. If {{E1}} in the expression {{E1 >> E2}} has a signed type and a negative value, the resulting value is [implementation-defined|BB. Definitions#implementation-defined behavior] and may be either an arithmetic shift or a logical shift. Also, be careful to avoid [undefined behavior|BB. Definitions#undefined behavior] while performing a bitwise shift (see [INT36-C. Do not shift a negative number of bits or more bits than exist in the operand]). This non-compliant code example can result in an error condition on [implementations|BB. Definitions#implementation] in which an arithmetic shift is performed and the sign bit can be propagated as the number is shifted \[[Dowd 06|AA. C References#Dowd 06]\]. |
int rc = 0;
int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", stringify >> 24);
if (rc == -1 || rc >= sizeof(buf)) /* handle error */ ;
|
In this example, stringify >> 24 evaluates to 0xFFFFFF80, or 4,294,967,168. When converted to a string, the resulting value "4294967168" is too large to store in buf and is truncated by snprintf().
If this code had been implemented using sprintf() instead of snprintf(), this non-compliant code example would have resulted in a buffer overflow.
For bit extraction, make sure to mask off the bits you are not interested in.
int rc = 0;
unsigned int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", stringify >> 24);
if (rc == -1 || rc >= sizeof(buf)) /* handle error */ ;
|
Also, consider using the sprintf_s() function defined in ISO/IEC TR 24731-1 instead of snprintf() to provide some additional checks (see STR07-A. Use TR 24731 for remediation of existing string manipulation code).
Improper range checking can lead to buffer overflows and the execution of arbitrary code by an attacker.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
INT13-A |
high |
unlikely |
medium |
P6 |
L2 |
The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.
Fortify SCA Version 5.0 with the CERT C Rule Pack can detect violations of this recommendation.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 6, "C Language Issues" \[[ISO/IEC 03|AA. C References#ISO/IEC 03]\] Section 6.5.7, "Bitwise shift operators" \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.5.7, "Bitwise shift operators" \[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XYY Wrap-around Error" |
INT12-A. Do not make assumptions about the type of a plain int bit-field when used in an expression 04. Integers (INT) INT14-A. Avoid performing bitwise and arithmetic operations on the same data