Do not assume that a right shift operation is implemented as either an arithmetic (signed) shift or a logical (unsigned) shift. If E1
in the expression E1 >> E2
has a signed type and a negative value, the resulting value is implementation defined and may be either an arithmetic shift or a logical shift. Also, be careful to avoid undefined behavior while performing a bitwise shift [[INT36-C]].
Non-Compliant Coding Example
For implementations in which an arithmetic shift is performed and the sign bit can be propagated as the number is shifted.
int stringify; char buf[sizeof("256")]; sprintf(buf, "%u", stringify >> 24);
If stringify
has the value 0x80000000
, stringify >> 24
evaluates to 0xFFFFFF80
and the subsequent call to sprintf()
results in a buffer overflow.
Compliant Solution
For bit extraction, make sure to mask off the bits you are not interested in.
int stringify; char buf[sizeof("256")]; sprintf(buf, "%u", ((number >> 24) & 0xff));
Risk Assessment
Improper range checking can lead to buffer overflows and the execution of arbitary code by an attacker.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
INT13-A |
3 (high) |
1 (probable) |
2 (medium) |
P6 |
L2 |
References
[[Dowd 06]] Chapter 6, "C Language Issues"
[[ISO/IEC 9899-1999]] Section 6.5.7, "Bitwise shift operators"
[[ISO/IEC 03]] Section 6.5.7, "Bitwise shift operators"