CERT
Skip to end of metadata
Go to start of metadata

The sizeof operator yields the size (in bytes) of its operand, which can be an expression or the parenthesized name of a type. However, using the sizeof operator to determine the size of arrays is error prone.

The sizeof operator is often used in determining how much memory to allocate via malloc(). However using an incorrect size is a violation of MEM35-C. Allocate sufficient memory for an object.

Noncompliant Code Example

In this noncompliant code example, the function clear() zeros the elements in an array. The function has one parameter declared as int array[] and is passed a static array consisting of 12 int as the argument. The function clear() uses the idiom sizeof(array) / sizeof(array[0]) to determine the number of elements in the array. However, array has a pointer type because it is a parameter. As a result, sizeof(array) is equal to the sizeof(int *). For example, on an architecture (such as IA-32) where the sizeof(int) == 4 and the sizeof(int *) == 4, the expression sizeof(array) / sizeof(array[0]) evaluates to 1, regardless of the length of the array passed, leaving the rest of the array unaffected.

Footnote 103 in subclause 6.5.3.4 of the C Standard [ISO/IEC 9899:2011] applies to all array parameters:

When applied to a parameter declared to have array or function type, the sizeof operator yields the size of the adjusted (pointer) type.

Compliant Solution

In this compliant solution, the size of the array is determined inside the block in which it is declared and passed as an argument to the function:

This sizeof(array) / sizeof(array[0]) idiom will succeed provided the original definition of array is visible.

Noncompliant Code Example

In this noncompliant code example, sizeof(a) does not equal 100 * sizeof(int), because the sizeof operator, when applied to a parameter declared to have array type, yields the size of the adjusted (pointer) type even if the parameter declaration specifies a length:

Compliant Solution

In this compliant solution, the size is specified using the expression len * sizeof(int):

Risk Assessment

Incorrectly using the sizeof operator to determine the size of an array can result in a buffer overflow, allowing the execution of arbitrary code.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ARR01-C

High

Probable

Low

P18

L1

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

 

 

Can detect violations of the recommendation but cannot distinguish between incomplete array declarations and pointer declarations

Klocwork2017CWARN.MEMSET.SIZEOF.PTRFully implemented
LDRA tool suite9.5.6

401 S

Fully implemented

Parasoft C/C++test9.5PB-32Fully implemented
Polyspace Bug FinderR2016aPossible misuse of sizeof

Use of sizeof operator can cause unintended results

Splint3.1.1

 

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardCTR01-CPP. Do not apply the sizeof operator to a pointer when taking the size of an array
MITRE CWECWE-467, Use of sizeof() on a pointer type
ISO/IEC TS 17961Taking the size of a pointer to determine the size of the pointed-to type [sizeofptr]

Bibliography

[Drepper 2006]Section 2.1.1, "Respecting Memory Bounds"
[ISO/IEC 9899:2011]Subclause 6.5.3.4, "The sizeof and _Alignof Operators"

 


5 Comments

  1. We may want to show another NCCE, where sizeof(array) / sizeof(array[0]) is used in other dangerous ways. If not, we may want to just make these example to be part of the test suite.

  2. Per the discussion between me, David, and Robert:

    We first thought that this title should be "Do not apply the sizeof operator to array parameters" to make it more concrete and to help with static tool analysis.  However, we thought of an example that would fit the current title:

    Thoughts on changing the title, including this NCCE, splitting this into two recommendations, or (my favorite) making a recommendation that says "Do not use sizeof on pointers"?

    1. I thought of a more likely scenario:

  3. Should this rule also detect this kind of error?

    1. What makes you think the code is in error? The address of an array is the address of its first element so the snippet simply zeroes out the array.