Variable-length arrays (VLA) are essentially the same as traditional C arrays, except that they are declared with a size that is not a constant integer expression and can be declared only at block scope or function prototype scope and no linkage. A variable-length array can be declared
{ /* block scope */ char vla[size]; } |
where the integer expression {{size}} and the declaration of {{vla}} are both evaluated at runtime. If the size argument supplied to a variable-length array is not a positive integer value, the behavior is undefined. (See [undefined behavior 69|CC. Undefined Behavior#ub_69] in Annex J of C99.) In addition, if the magnitude of the argument is excessive the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data \[[Griffiths 2006|AA. Bibliography#Griffiths 06]\]. The programmer must ensure that size arguments to variable-length arrays are valid and have not been corrupted as the result of an exceptional integer condition. |
In this noncompliant code example, a variable-length array of size size
is declared. The size
is declared as size_t
in compliance with recommendation INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.
void func(size_t size) { int vla[size]; /* ... */ } /* ... */ |
However, it is not guaranteed that the value of size
is a valid size argument, potentially giving rise to a security vulnerability.
This compliant solution ensures the size
argument used to allocate vla
is in a valid range (between 1 and a programmer-defined maximum); otherwise, it uses an algorithm that relies on dynamic memory allocation.
enum { MAX_ARRAY = 1024 }; void func(size_t size) { if (0 < size && size < MAX_ARRAY) { int vla[size]; /* ... */ } else { /* Use dynamic allocation */ } } /* ... */ |
Variable length arrays are not supported by Microsoft compilers.
Newer versions of GCC have incorporated variable length arrays, but do not yet claim full C99 conformance. Therefore, variable length arrays should only be used on GCC with great care.
On an example Debian GNU/Linux Intel 32-bit test machine with GCC v. 4.2.2, the value of a variable length array's size is interpreted as a 32-bit signed integer. Passing in a negative number for the size will likely cause the program stack to become corrupted, and passing in a large positive number may cause a terminal stack overflow. It is important to note that this information may become outdated as GCC evolves.
Failure to properly specify the size of a variable length array may allow arbitrary code execution or result in stack exhaustion.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
ARR32-C |
high |
probable |
high |
P6 |
L2 |
Tool |
Version |
Checker |
Description |
|||
---|---|---|---|---|---|---|
|
|
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
ISO/IEC TR 24772 "XYX Boundary Beginning Violation" and "XYZ Unchecked Array Indexing"
\[[Griffiths 2006|AA. Bibliography#Griffiths 06]\] |
ARR31-C. Use consistent array notation across all source files 06. Arrays (ARR) ARR33-C. Guarantee that copies are made into storage of sufficient size