Function pointer assigned with absolute address

Constant expression is used as function address is vulnerable to code injection

Description

This defect occurs when a function pointer is assigned an absolute address.

Bug Finder considers expressions with any combination of literal constants as an absolute address. The one exception is when the value of the expression is zero.

Risk

Using a fixed address is not portable because it is possible that the address is invalid on other platforms.

An attacker can inject code at the absolute address, causing your program to execute arbitrary, possibly malicious, code.

Fix

Do not use an absolute address with function pointers.

Examples

expand all

Function Pointer Address Assignment

extern int func0(int i, char c);
typedef int (*FuncPtr) (int, char);

FuncPtr funcptrabsoluteaddr() {
    return (FuncPtr)0x08040000; 
}

In this example, the function returns a function pointer to the address 0x08040000. If an attacker knows this absolute address, an attacker can compromise your program.

Correction — Function Address

One possible correction is to use the address of an existing function instead.

extern int func0(int i, char c);
typedef int (*FuncPtr) (int, char);

FuncPtr funcptrabsoluteaddr() {
    return &func0;
}

Result Information

Group: Security

Language: C | C++

Default: Off

Command-Line Syntax: FUNC_PTR_ABSOLUTE_ADDR

Impact: Low

PQL Name: std.defects.FUNC_PTR_ABSOLUTE_ADDR

Version History

Introduced in R2015b