Description -

             A programmer should keep a check on the following (sub-sections):

                        - ‘n’ > size of ’p’                                                                                     // for func(p,n)

                        - ‘n’ and ‘p’ are not compatible

                        - (‘n’ > size of ‘p’ or size of ‘q’) || (‘p’ and ‘q’ are not compatible)                 // for func(p,q, n)

                        - ‘p’ and ‘q’ are compatible but not with ‘n’

                        - Correct usage of expression E                                                              // for E: T* = mem_alloc(n)

 

Noncompliant Code Example

This noncompliant code example assigns a value greater than the size of dynamic memory to 'n' which is then passed to the memset().

void f1 (size_t nchars) {

	char *p = (char *)malloc(nchars);
	const size_t n = nchars + 1;

	memset(p, 0, n);
	/* More program code */

}

Compliant Solution

This compliant solution makes sure that the value of 'n' is not greater the size of the dynamic memory pointed to by the pointer 'p':

void f1 (size_t nchars, size_t val) {

	char *p = (char *)malloc(nchars);
	const size_t n = val;

	if (nchars - n < 0) {
     		/* Handle Error */
	}

	else {
		memset(p, 0, n);
	}

}

Noncompliant Code Example

In noncompliant code example the effective type of *p is float while the derived type of the expression 'n' is int.

void f2() {

	float a[4];
	const size_t n= sizeof(int) * 4;
	void *p = a;


	memset(p, 0, n);
	/* More program code */

}

Note: A possibility of this code being safe would be on architectures where sizeof (int) is equal to sizeof (float).

Compliant Solution

The derived type of 'n' in this solution is also float.

void f2() {

	float a[4];
	const size_t n= sizeof(float) * 4;
	void *p = a;

	memset(p, 0, n);
	/* More program code */

}

Noncompliant Code Example

In this noncompliant code example, the size of 'n' could be greater than the size of *p. Also, the effective type of *p (int) is not same as the effective type of *q (float).

void f3(int *a) {

	float b = 3.14;
	const size_t n = sizeof(*b);
	void *p = a;
	void *q = &b;

	memcpy(p, q, n);
	/* More program code */

}

Compliant Solution

This compliant solution makes sure that the of 'n' is not greater the the minimum of effective sizes of *p and *q.

void f3(int *a) {

	float b = 3.14;
	const size_t n = sizeof(*b);
	void *p = a;
	void *q = &b;

	if (n <= size(*p) && n <= size(*q)) {
		memcpy(p, q, n);
	}

	else {
		/* Handle Error */
	}

}

Noncompliant Code Example

In this noncompliant code example, the size of 'n' could be greater than the size of *p. Also, the effective type of *p (int) is not same as the effective type of *q (float).

wchar_t *f7() {


	const wchar_t *p = L"Hello, World!";
	const size_t n = sizeof(p) * (wcslen(p) + 1);


	wchar_t *q = (wchar_t *)malloc(n);
	return q;


}

Compliant Solution

This compliant solution makes sure that the of 'n' is not greater the the minimum of effective sizes of *p and *q.

wchar_t *f7() {
	const wchar_t *p = L"Hello, World!";
	const size_t n = sizeof(wchar_t);


	wchar_t *q = (wchar_t *)malloc(n);
	return q;


}

Risk Assessment

Depending on the library function called, the attacker may be able to use a heap overflow vulnerability to run arbitrary code. The detection of checks specified in description can be automated but the remediation has to be manual.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR38-C

high

likely

medium

P18

L1

Related Guidelines

Bibliography

WG14 Document: N1579 - Rule 5.34 Forming Invalid pointers by library functions.