Do not assume that a right shift operation is implemented as either an arithmetic (signed) shift or a logical (unsigned) shift. If E1
in the expression E1 >> E2
has a signed type and a negative value, the resulting value is implementation-defined and may be either an arithmetic shift or a logical shift. Also, be careful to avoid undefined behavior while performing a bitwise shift (see INT36-C. Do not shift a negative number of bits or more bits than exist in the operand).
Non-Compliant Code Example
This non-compliant code example can result in an error condition on implementations in which an arithmetic shift is performed and the sign bit can be propagated as the number is shifted [[Dowd 06]].
int rc = 0; int stringify = 0x80000000; char buf[sizeof("256")]; rc = snprintf(buf, sizeof(buf), "%u", stringify >> 24); if (rc == -1 || rc >= sizeof(buf)) /* handle error */ ;
In this example, stringify >> 24
evaluates to 0xFFFFFF80
, or 4,294,967,168. When converted to a string, the resulting value "4294967168" is too large to store in buf
and is truncated by snprintf()
.
If this code had been implemented using sprintf()
instead of snprintf()
, this non-compliant code example would have resulted in a buffer overflow.
Compliant Solution
For bit extraction, make sure to mask off the bits you are not interested in.
int rc = 0; int stringify = 0x80000000; char buf[sizeof("256")]; rc = snprintf(buf, sizeof(buf), "%u", ((stringify >> 24) & 0xff)); if (rc == -1 || rc >= sizeof(buf)) /* handle error */ ;
Also, consider using the sprintf_s()
function defined in ISO/IEC TR 24731-1 instead of snprintf()
to provide some additional checks (see STR00-A. Use TR 24731 for remediation of existing string manipulation code).
Risk Assessment
Improper range checking can lead to buffer overflows and the execution of arbitrary code by an attacker.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
INT13-A |
3 (high) |
1 (unlikely) |
2 (medium) |
P6 |
L2 |
Automated Detection
The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.
Fortify SCA Version 5.0 with the CERT C Rule Pack can detect violations of this recommendation.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Dowd 06]] Chapter 6, "C Language Issues"
[[ISO/IEC 9899-1999]] Section 6.5.7, "Bitwise shift operators"
[[ISO/IEC 03]] Section 6.5.7, "Bitwise shift operators"
INT12-A. Do not make assumptions about the type of a plain int bit-field when used in an expression 04. Integers (INT) INT14-A. Distinguish bitmaps from numeric types