CWE Rule 587

Assignment of a Fixed Address to a Pointer

Since R2023a

expand all in page

Description

Rule Description

The software sets a pointer to a specific address other than NULL or 0.

Polyspace Implementation

The rule checker checks for Function pointer assigned with absolute address.

Examples

expand all

Function pointer assigned with absolute address

Issue

This issue occurs when a function pointer is assigned an absolute address.

Bug Finder considers expressions with any combination of literal constants as an absolute address. The one exception is when the value of the expression is zero.

Risk

Using a fixed address is not portable because it is possible that the address is invalid on other platforms.

An attacker can inject code at the absolute address, causing your program to execute arbitrary, possibly malicious, code.

Fix

Do not use an absolute address with function pointers.

Example — Function Pointer Address Assignment

extern int func0(int i, char c);
typedef int (*FuncPtr) (int, char);

FuncPtr funcptrabsoluteaddr() {
    return (FuncPtr)0x08040000;  //Noncompliant
}

In this example, the function returns a function pointer to the address 0x08040000. If an attacker knows this absolute address, an attacker can compromise your program.

Correction — Function Address

One possible correction is to use the address of an existing function instead.

extern int func0(int i, char c);
typedef int (*FuncPtr) (int, char);

FuncPtr funcptrabsoluteaddr() {
    return &func0;
}

Check Information

Category: Pointer Issues

Version History

Introduced in R2023a

expand all

R2024a: Checker correctly interprets content of array element as fixed address

The rule checker reports a violation when you assign the content of an array element as memory address to a pointer. For example, in this code snippet the assignments to the pointers Func1 and Func2 are noncompliant because the contents of arr1[0] and arr2[0] are correctly interpreted as fixed addresses which might not be valid on other systems.

typedef void (*FuncPtr)(void);

void myFunc(void)
{
    unsigned char  arr1[1] = {0xFF};
    unsigned char arr2[1];

    FuncPtr Func;
    FuncPtr Func1;
    // Cast arrays to function pointers
    // Assignmnent to Func and Func1 interprets contents of 
    // arr1 and arr2 as memory addresses
    Func = (FuncPtr)arr1;        //Noncompliant
    Func = (FuncPtr) &(arr1[0]); //Noncompliant
    Func1 = (FuncPtr)arr2;       //Noncompliant

    Func();
    Func1();
}

Previously, Polyspace did not report a violation for assignments of the content of array elements to pointers.