An object has a storage duration that determines its lifetime. There are three storage durations: static, automatic, and allocated.
According to [[ISO/IEC 9899-1999]]:
The lifetime of an object is the portion of program execution during which storage is guaranteed to be reserved for it. An object exists, has a constant address, and retains
its last-stored value throughout its lifetime. If an object is referred to outside of its lifetime, the behavior is undefined. The value of a pointer becomes indeterminate when
the object it points to reaches the end of its lifetime.
Non-Compliant Code Example
This non-compliant code example declares the variable p as a pointer to a constant char with file scope. The value of str is assigned to p within the dontDoThis() function. However, str has automatic storage duration so the lifetime of str ends when the dontDoThis() function exits.
const char *p;
void dontDoThis() {
const char str[20] = "This will change";
p = str; // dangerous
...
}
void innocuous() {
const char str[20] = "Surprise, surprise";
}
...
dontDoThis();
innocuous();
// now, it is likely that p is pointing to "Surprise, surprise"
As a result of this undefined behavior, it is likely that p will refer to the string literal "Surprise, surprise" after the call to the innocuous() function.
Compliant Solution
In this compliant solution, the pointer to the constant char p is moved within the thisIsOK() to prevent this variable from being accessed outside of the function.
void thisIsOK() {
const char str[20] = "Everything OK";
const char *p = str;
...
}
// pointer p is now inaccessible outside the scope of string str
Risk Assessment
Referencing an object outside of its lifetime could result in an attacker being able to run arbitrary code.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
DCL30-C |
3 (high) |
2 (probable) |
1 (high) |
P6 |
L2 |
References
- ISO/IEC 9899-1999 Section 6.2.4, "Storage durations of objects," Section 7.20.3, "Memory management functions"