JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.2p0 | CONFIDENTIAL | CodeSecure Inc |
A negative (or potentially negative) value is passed to a function that expects an unsigned char value or EOF (as an int).
| Class Name | Negative Character Value | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Significance | security | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Mnemonic | MISC.NEGCHAR | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Categories |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Availability | Available for C and C++. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Enabling | Checks for this warning class are enabled by
default. To disable them, add the following WARNING_FILTER rule to the
project configuration file.
WARNING_FILTER += discard class="Negative Character Value" |
Japanese (ja)
#include <stdio.h>
#include <ctype.h>
void f(const char *instr, int len){
int i;
/* ... obtain instr and len */
for (i=0; i<len; i++){
if (isupper(instr[i])){ /* Negative Character Value warning issued here */
printf("string has upper case character");
}
}
/* do this instead */
for (i=0; i<len; i++){
if (isupper( (unsigned char) instr[i] )){
printf("string has upper case character");
}
}
}
The specifications for the character classification and conversion functions defined in ctype.h require that their argument be an int representable as an unsigned char or equal to EOF. At the very least, using a signed char argument will lead to undefined behavior for those cases where the corresponding int value is negative (and not EOF).
In a number of libc implementations these functions are implemented using lookup tables, as in the following example.
#define islower(x) (_ctype_info[(int)(x) + 1] & _LOCALE)
With this definition, serious problems can arise when islower() is called with a signed character argument:
char c; if (scanf("%c", &c)){ if (islower(c)){ /*...*/
An attacker could provide a negative character value, such as '\156' ( = (char)-100, which is 'S' in extended ASCII). This would cause the table lookup to underflow the table buffer, revealing information about the memory location 99 bytes before the start of the table. The attacker could thus gradually deduce the entire contents of the 127-byte memory block immediately adjacent to the table, and this block could contain sensitive information.
Some libc implementations do not use table lookup, but negative char arguments are still a violation of the function specifications. If you need to pass a signed char value to one of these functions, cast it to unsigned char first.
CodeSonar ships with library models that allow it to recognize functions such as libc tolower() that expect an argument representable as unsigned char. If one of these functions is called with an unsuitable value in the relevant parameter position, a warning will be issued.
If you have created a custom library model for some function f() in terms of one of these existing models, calls to f() will also be capable of triggering Negative Character Value warnings.
The following configuration file parameters affect checks for this warning class.
To report problems with this documentation, please visit https://support.codesecure.com/.