JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
C and C++

MISC.MEM.SIZE.SUBUFLOW : Subtraction Underflow of Size

Summary

A size argument to one of the triggering functions is based on unchecked subtraction, thus risking integer underflow and an unexpectedly small or unexpectedly large operation scope.

(Note: When subtraction underflow can affect size calculation for memory allocations, warning class Subtraction Underflow of Allocation Size applies instead.)

Properties

Class Name Subtraction Underflow of Size
Significance security
Mnemonic MISC.MEM.SIZE.SUBUFLOW
Categories
MisraC2025 MisraC2025:21.18 The size_t argument passed to any function in <string.h> shall have an appropriate value
MisraC2023 MisraC2023:21.18 The size_t argument passed to any function in <string.h> shall have an appropriate value
Misra2012 Misra2012:21.18 The size_t argument passed to any function in <string.h> shall have an appropriate value
AUTOSARC++14 AUTOSARC++14:A4-7-1 An integer expression shall not lead to data loss.
MisraC++2023 MisraC++2023:0.3.2 A function call shall not violate the function's preconditions
  MisraC++2023:8.20.1 An unsigned arithmetic operation with constant operands should not wrap
CWE CWE:128 Wrap-around Error
  CWE:190 Integer Overflow or Wraparound
  CWE:191 Integer Underflow (Wrap or Wraparound)
  CWE:680 Integer Overflow to Buffer Overflow
TS17961 TS17961:5.45-taintsink Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink
CERT-C CERT-C:INT08-C Verify that all integer values are in range
  CERT-C:INT18-C Evaluate integer expressions in a larger size before comparing or assigning to that size
  CERT-C:INT30-C Ensure that unsigned integer operations do not wrap
  CERT-C:INT32-C Ensure that operations on signed integers do not result in overflow
JSF++ JSF++:203 Evaluation of expressions shall not lead to overflow/underflow (unless required algorithmically and then should be heavily documented).
  JSF++:212 Underflow or overflow functioning shall not be depended on in any special way.
DISA-6r1 DISA-6r1:V-222612 The application must not be vulnerable to overflow attacks.
DISA-5r3 DISA-5r3:V-70277 The application must not be vulnerable to overflow attacks.
DISA-4r3 DISA-4r3:V-70277 The application must not be vulnerable to overflow attacks.
DISA-3r10 DISA-3r10:V-16808 The designer will ensure the application is not vulnerable to integer arithmetic issues.
OWASP-2017 OWASP-2017:A8 Insecure deserialization
OWASP-2021 OWASP-2021:A8 Software and data integrity failures
Availability Available for C and C++.
Enabling Checks for this warning class are disabled by default. To enable them, add the following WARNING_FILTER rule to the project configuration file. 
WARNING_FILTER += allow class="Subtraction Underflow of Size"

Example 

#include <string.h>

void do_subuflow_size(char *p, int x, int y)
{
    memset(p, 0, x - y);  /* Subtraction Underflow of Size
                           * warning issued here. */
    /* ... */
}

Triggers

CodeSonar ships with library models that allow it to recognize a large number of functions that operate on memory and take a size argument. Some examples are shown in the table below. If one of these functions is called with a size argument that may have undergone subtraction underflow, a warning will be issued.

If you have created a custom library model for some function f() in terms of one of these existing models, calls to f() will also be capable of triggering Subtraction Underflow of Size warnings.

Functions that can trigger warnings include...
Apache Portable Runtime (APR) apr_cpystrn(), apr_pmemdup()
gcc Builtins __builtin___memcpy_chk(), __builtin_strncpy()
LDAP ldap_search_ext()
libc memcpy(), strncat(), write()
libpq PQprepare()
Linux Kernel copy_from_user(), kfree_s()
Mac OS X _FREE_ZONE(), copyin()
ODBC SQLPrepareA(), SQLPrepareUNIX(), SQLPrepareW()
OpenSSL CRYPTO_malloc(), OPENSSL_cleanse()
Qt qMemCopy(), qMemSet()
Win32 BytesToUnicode(), StrNCatA(), StrNCatW(), wcsnlen()

Note that classes Addition Overflow of Size, Multiplication Overflow of Size, Subtraction Underflow of Size and Truncation of Size all have the same set of triggering functions.

Note

This is a "taint+dp" warning class: warnings of this class undergo a dedicated refinement phase that cannot be disabled. One consequence of this is that reporting exhibits some degree of unavoidable nondeterminism. If result stability is important to you, you may wish to avoid enabling this class.

In issuing a warning of this class, CodeSonar does not take into account any constraints on integer values that are imposed before the beginning of the warning's core path.

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.

 

To report problems with this documentation, please visit https://support.codesecure.com/.