SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

Do not assume that a right shift operation is implemented as either an arithmetic (signed) shift or a logical (unsigned) shift. If E1 in the expression E1 >> E2 has a signed type and a negative value, the resulting value is implementation-defined and may be either an arithmetic shift or a logical shift. Also, be careful to avoid undefined behavior while performing a bitwise shift [[INT36-C. Do not shift a negative number of bits or more bits than exist in the operand]].

Non-Compliant Code Example

This non-compliant code example can result in an error condition on implementations in which an arithmetic shift is performed and the sign bit can be propagated as the number is shifted [[Dowd 06]].

int rc = 0;
int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", stringify >> 24); 
if (rc == -1 || rc >= sizeof(buf)) /* handle error */ ;

In this example, stringify >> 24 evaluates to 0xFFFFFF80 or 4,294,967,168. When converted to a string, the resulting value "4294967168" is too large to store in buf and is truncated by snprintf().

If this code had been implemented using sprintf() instead of snprintf(), this non-compliant code example would have resulted in a buffer overflow.

Compliant Solution

For bit extraction, make sure to mask off the bits you are not interested in.

int rc = 0;
int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", ((stringify >> 24) & 0xff));
if (rc == -1 || rc >= sizeof(buf)) /* handle error */ ;

Also, consider using sprintf_s() function defined in ISO/IEC TR 24731-1 instead of snprintf() to provide some additional checks (see [[STR00-A. Use TR 24731 for remediation of existing string manipulation code]].

Risk Assessment

Improper range checking can lead to buffer overflows and the execution of arbitary code by an attacker.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT13-A

3 (high)

1 (unlikely)

2 (medium)

P6

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Dowd 06]] Chapter 6, "C Language Issues"
[[ISO/IEC 9899-1999]] Section 6.5.7, "Bitwise shift operators"
[[ISO/IEC 03]] Section 6.5.7, "Bitwise shift operators"

INT12-A. Do not make assumptions about the type of a bit-field when used in an expression      04. Integers (INT)       INT14-A. Distinguish bitmaps from numeric types

  • No labels