All integer values originating from untrusted sources should be evaluated to determine if there are identifiable upper and lower bounds. If so, these limits should be enforced by the interface. Restricting the input of excessively large or small integers helps prevent overflow, truncation, and other type range errors. Furthermore, it is easier to find and correct input problems than it is to trace internal errors back to faulty inputs.
In this noncompliant code example, length is the value of a user-defined (and thus potentially untrusted) environment variable whose value is used to determine the size of a dynamically allocated array, table. In compliance with INT30-C. Ensure that unsigned integer operations do not wrap the code prevents unsigned integer wrapping but it doesn't impose any upper bound on the size of the array, making it possible for the user to cause the program to use an excessive amount of memory.
char** create_table(void) {
const char* const lenstr = getenv("TABLE_SIZE");
const size_t length = lenstr ? strtoul(lenstr, NULL, 10) : 0;
if (length > SIZE_MAX / sizeof(char *))
return NULL; /* indicate error to caller */
const size_t table_size = length * sizeof(char *);
char** const table = (char **)malloc(table_size);
if (table == NULL)
return NULL; /* indicate error to caller */
/* initialize table... */
return table;
}
|
Because length is user controlled, the value can result in a large block of memory being allocated or can cause the call to malloc() to fail. Depending on how error handling is implemented, this may result in a denial of service or other error.
This compliant solution defines the acceptable range for {{length}} as {{\[1, MAX_TABLE_LENGTH\]}}. The {{length}} parameter is declared as {{size_t}}, which is unsigned by definition. Consequently, it is not necessary to check {{length}} for negative values. (See recommendation [INT01-C. Use rsize_t or size_t for all integer values representing the size of an object].) |
enum { MAX_TABLE_LENGTH = 256 };
char** create_table(void) {
const char* const lenstr = getenv("TABLE_SIZE");
const size_t length = lenstr ? strtoul(lenstr, NULL, 10) : 0;
if (length == 0 || length > MAX_TABLE_LENGTH)
return NULL; /* indicate error to caller */
const size_t table_size = length * sizeof(char *);
char** const table = (char **)malloc(table_size);
if (table == NULL)
return NULL; /* indicate error to caller */
/* initialize table... */
return table;
}
|
The test for length == 0 ensures that a nonzero number of bytes is allocated. (See recommendation MEM04-C. Do not perform zero length allocations.)
Failing to enforce the limits on integer values can result in a denial-of-service attack.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
INT04-C |
low |
probable |
high |
P2 |
L3 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
CERT C++ Secure Coding Standard: INT04-CPP. Enforce limits on integer values originating from untrusted sources
\[[Seacord 2005a|AA. Bibliography#Seacord 05]\] Chapter 5, "Integer Security" |
INT03-C. Use a secure integer library 04. Integers (INT)