SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Next »

Do not assume that a right shift operation is implemented as either an arithmetic (signed) shift or a logical (unsigned) shift. If E1 in the expression E1 >> E2 has a signed type and a negative value, the resulting value is implementation-defined and may be either an arithmetic shift or a logical shift. Also, be careful to avoid undefined behavior while performing a bitwise shift (see INT36-C. Do not shift a negative number of bits or more bits than exist in the operand).

Non-Compliant Code Example

This non-compliant code example can result in an error condition on implementations in which an arithmetic shift is performed and the sign bit can be propagated as the number is shifted [[Dowd 06]].

int rc = 0;
int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", stringify >> 24);
if (rc == -1 || rc >= sizeof(buf)) /* handle error */ ;

In this example, stringify >> 24 evaluates to 0xFFFFFF80, or 4,294,967,168. When converted to a string, the resulting value "4294967168" is too large to store in buf and is truncated by snprintf().

If this code had been implemented using sprintf() instead of snprintf(), this non-compliant code example would have resulted in a buffer overflow.

Compliant Solution

For bit extraction, make sure to mask off the bits you are not interested in.

int rc = 0;
int stringify = 0x80000000;
char buf[sizeof("256")];
rc = snprintf(buf, sizeof(buf), "%u", ((stringify >> 24) & 0xff));
if (rc == -1 || rc >= sizeof(buf)) /* handle error */ ;

Also, consider using the sprintf_s() function defined in ISO/IEC TR 24731-1 instead of snprintf() to provide some additional checks (see STR00-A. Use TR 24731 for remediation of existing string manipulation code).

Risk Assessment

Improper range checking can lead to buffer overflows and the execution of arbitrary code by an attacker.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT13-A

3 (high)

1 (unlikely)

2 (medium)

P6

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Dowd 06]] Chapter 6, "C Language Issues"
[[ISO/IEC 9899-1999]] Section 6.5.7, "Bitwise shift operators"
[[ISO/IEC 03]] Section 6.5.7, "Bitwise shift operators"

INT12-A. Do not make assumptions about the type of a plain int bit-field when used in an expression      04. Integers (INT)       INT14-A. Distinguish bitmaps from numeric types

  • No labels