ABSTRACT

Array bounds check could be mistakenly optimized out.

EXPLANATION


If an array bounds check involves computing an illegal pointer and then determining that the pointer is out of bounds, some compilers will optimize the check away, assuming that the programmer would never intentionally create an illegal pointer.

Example:


char *buf;
int len;
...
len = 1<<30;

if (buf+len < buf) //wrap check
[handle overflow]


The operation buf + len is larger than 2^32, so the resulting value is smaller than buf. But since an arithmetic overflow on a pointer is undefined behvaior, some compilers will assume buf + len >= buf and optimize away the wrap check. As a result of this optimization, code following this block could be vulnerable to buffer overflow.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A5 Buffer Overflow

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3590.1 CAT I

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 733

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.2

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.5

[6] Vulnerability Note VU#162289 CERT