One of the problems with arrays is determining the size. The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type.
Non-compliant Code Example 1
This piece of code incorrectly uses the sizeof operator. When applied to a pointer, the sizeof operator returns the size of the pointer, not the size of the block of space the pointer refers to. As a result the call to malloc will return a pointer to a block of memory equal in size to the size of a pointer (commonly 4 bytes). When the strcpy is called a heap buffer overflow will occur.
char *src = "hello, world"; char *dest = malloc(sizeof(src)); strcpy(dest, src);
Compliant Solution 1
Fixing this issue requires the programmer to recognize and understand how sizeof works. In this case if, changing the type of src to a character array will correct the problem
char src[] = "hello, world"; char *dest = malloc(sizeof(src)); strcpy(dest, src);
Non-compliant Code Example 2
The sizeof operator can be used to compute the number of elements in an array as follows: sizeof (dis) / sizeof (dis0). The sizeof operator can also be used to calculate the size of variable length arrays. In the case of a variable length array, the operand is evaluated at runtime. Extreme care must be taken when using this particular programming idiom, however.
void f(int a[]) {
int i;
for (i = 0; i < sizeof (a) / sizeof (a[0]); i++) {
a[i] = 21;
}
}
int main(void) {
int dis[12];
f(dis);
}
In the following example sizeof (a) / sizeof (a0) evaluates to 1 because int a[] is equivalent to int *a in the function declaration. This allows f() to be passed an array of arbitrary length.
Compliant Solution
This problem can be fixed by passing the size as a separate argument, as shown in the following example:
void g(int a[], int size) {
int i;
for (i = 0; i < size; i++) {
a[i] = 21;
}
}
g(dis, sizeof (dis) / sizeof (dis[0]));
Care must be taken to ensure that the size is valid for the array. If these parameters can be manipulated by an attacker, this function will almost always result in an exploitable vulnerability.
Compliant Code Example 2
In general, correcting issues regarding improper use of the sizeof operator requires that the programmer have a solid understanding of how sizeof works. Consider the following data types and variables:
struct test_struct {
char c1,c2;
int *integer_ptr;
};
char array[10];
char * pointer = malloc(10);
char character;
struct test_struct structure;
struct test_struct struct_array[10];
The following are the implementation specific results of using the sizeof operator on those data types:
sizeof(char) /* 1 Byte */ sizeof(character) /* 1 Byte */ sizeof(&character) /* 4 Bytes */ sizeof(pointer) /* 4 Bytes */ sizeof(array) /* 10 Bytes */ sizeof(structure) /* 8 Bytes */ sizeof(&structure) /* 4 Bytes */ sizeof(struct_array) /* 80 Bytes */