Modernizing C Arrays for Greater Memory Safety

Lately, there has been a push for people to stop using programming languages that don’t promote memory safety. But as we still haven’t seen the death of some languages that were born in the early 1960s, we don’t think there will be much success in replacing the tremendous amount of software that uses said “unsafe” languages.

That doesn’t mean it’s a hopeless cause, though. [Kees Cook] recently posted how modern C99 compilers offer features to help create safer arrays, and he outlines how you can take advantage of these features. Turns out, it is generally easy to do, and if you get errors, they probably point out unexpected behavior in your original code, so that’s a plus.

We don’t think there’s anything wrong with C and C++ if you use them as you should. Electrical outlets are useful until you stick a fork in one. So don’t stick a fork in one. We really liked the recent headline we saw from [Sarah Butcher]: “If you can’t write safe C++ code, it’s because you can’t write C++.” [Cook’s] post makes a similar argument.  C has advanced quite a bit and the fact that 30-year-old code doesn’t use these new features isn’t a good excuse to give up on C.

The biggest problem is something that has been around for a long time that C99 names “flexible arrays.” That is when you say something like: int bits[] or, historically, int bits[0]. These are really not arrays but pointers that probably point to an array of an unknown — to the compiler — size. Even worse is that many structures will have a flexible array at the end to indicate they are nothing more than a header to a larger data structure.

For example:


struct packet {

unsigned seqno;
unsigned len;
unsigned src;
unsigned dst;
byte data[4];

};

Given a pointer to this structure, you can access, say, data[20] and that’s not an error. Presumably, the len field tells you the size, but the compiler doesn’t know that, nor would it know if it is the size of the array, the whole structure, or something totally different.

There are several possible cases and [Kees] goes through them all. Well worth a read if you use or maintain C code that uses arrays. We look at some cases, too, especially with those tricky unions. While everyone likes to pick on C as being unsafe, it is pretty green.



Modernizing C Arrays for Greater Memory Safety
Source: Manila Flash Report

Post a Comment

0 Comments