【转】http://blog.csdn.net/deltatang/article/details/41713795
INT36-C. Converting a pointer to integer or integer to pointer
-
Created by , last modified by Jill Britton on Aug 04, 2014
Although programmers often use integers and pointers interchangeably in C, pointer-to-integer and integer-to-pointer conversions are implementation-defined.
Conversions between integers and pointers can have undesired consequences depending on theimplementation. According to the C Standard, subclause 6.3.2.3 [ISO/IEC 9899:2011],
An integer may be converted to any pointer type. Except as previously specified, the result is implementation-defined, might not be correctly aligned, might not point to an entity of the referenced type, and might be a trap representation.
Any pointer type may be converted to an integer type. Except as previously specified, the result is implementation-defined. If the result cannot be represented in the integer type, the behavior is undefined. The result need not be in the range of values of any integer type.
Do not convert an integer type to a pointer type if the resulting pointer is incorrectly aligned, does not point to an entity of the referenced type, or is a trap representation.
Do not convert a pointer type to an integer type if the result cannot be represented in the integer type (seeundefined behavior 24).
The mapping between pointers and integers must be consistent with the addressing structure of the execution environment. Issues may arise, for example, on architectures that have a segmented memory model.
Noncompliant Code Example
The size of a pointer can be greater than the size of an integer, such as in an implementation where pointers are 64 bits and unsigned integers are 32 bits. This code example is noncompliant on such implementations because the result of converting the 64-bit ptr cannot be represented in the 32-bit integer type:
void
f(
void
) {
char
*ptr;
/* ... */
unsigned
int
number = (unsigned
int
)ptr;
/* ... */
}
|
Compliant Solution
Any valid pointer to void can be converted to intptr_t or uintptr_t and back with no change in value (seeINT36-EX2). The C Standard guarantees that a pointer to void may be converted to or from a pointer to any object type and back again and that the result must compare equal to the original pointer. Consequently, converting directly from a char * pointer to a uintptr_t, as in this compliant solution, is allowed on implementations that support the uintptr_t type.
#include <stdint.h>
void
f(
void
) {
char
*ptr;
/* ... */
uintptr_t
number = (
uintptr_t
)ptr;
/* ... */
}
|
Noncompliant Code Example
In this noncompliant code example, the pointer ptr is converted to an integer value. The high-order 9 bits of the number are used to hold a flag value, and the result is converted back into a pointer. This example is noncompliant on an implementation where pointers are 64 bits and unsigned integers are 32 bits because the result of converting the 64-bit ptr cannot be represented in the 32-bit integer type.
void
func(unsigned
int
flag) {
char
*ptr;
/* ... */
unsigned
int
number = (unsigned
int
)ptr;
number = (number & 0x7fffff) | (flag << 23);
ptr = (
char
*)number;
}
|
A similar scheme was used in early versions of Emacs, limiting its portability and preventing the ability to edit files larger than 8MB.
Compliant Solution
This compliant solution uses a struct to provide storage for both the pointer and the flag value. This solution is portable to machines of different word sizes, both smaller and larger than 32 bits, working even when pointers cannot be represented in any integer type.
struct
ptrflag {
char
*pointer;
unsigned
int
flag : 9;
} ptrflag;
void
func(unsigned
int
flag) {
char
*ptr;
/* ... */
ptrflag.pointer = ptr;
ptrflag.flag = flag;
}
|
Noncompliant Code Example
It is sometimes necessary to access memory at a specific location, requiring a literal integer to pointer conversion. In this noncompliant code, a pointer is set directly to an integer constant, where it is unknown whether the result will be as intended:
unsigned
int
*g(
void
) {
unsigned
int
*ptr = 0xdeadbeef;
/* ... */
return
ptr;
}
|
The result of this assignment is implementation-defined, might not be correctly aligned, might not point to an entity of the referenced type, and might be a trap representation.
Compliant Solution
Adding an explicit cast may help the compiler convert the integer value into a valid pointer. A common technique is to assign the integer to a volatile-qualified object of type intptr_t or uintptr_t and then assign the integer value to the pointer:
unsigned
int
*g(
void
) {
volatile
uintptr_t
iptr = 0xdeadbeef;
unsigned
int
*ptr = (unsigned
int
*)iptr;
/* ... */
return
ptr;
}
|
Exceptions
INT36-EX1: A null pointer can be converted to an integer; it takes on the value 0. Likewise, the integer value 0 can be converted to a pointer; it becomes the null pointer.
INT36-EX2: Any valid pointer to void can be converted to intptr_t or uintptr_t or their underlying types and back again with no change in value. Use of underlying types instead of intptr_t or uintptr_t is discouraged, however, because it limits portability.
#include <assert.h>
#include <stdint.h>
void
h(
void
) {
intptr_t
i = (
intptr_t
)(
void
*)&i;
uintptr_t
j = (
uintptr_t
)(
void
*)&j;
void
*ip = (
void
*)i;
void
*jp = (
void
*)j;
assert
(ip == &i);
assert
(jp == &j);
}
|
Risk Assessment
Converting from pointer to integer or vice versa results in code that is not portable and may create unexpected pointers to invalid memory locations.
| Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
| INT36-C |
Low |
Probable |
High |
P2 |
L3 |
Automated Detection
| Tool |
Version |
Checker |
Description |
|---|---|---|---|
| Compass/ROSE | |||
| Coverity | 6.5 | POINTER_CONVERSION_LOSES_BITS | Fully Implemented |
| 8.5.4 | 94 S |
Fully implemented | |
| PRQA QA-C | v8.2 | 305, 306, 309, 674 | Partially implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| CERT C++ Coding Standard | INT11-CPP. Take care when converting from pointer to integer or integer to pointer |
| ISO/IEC TR 24772:2013 | Pointer Casting and Pointer Type Changes [HFC] |
| ISO/IEC TS 17961:2013 | Converting a pointer to integer or integer to pointer [intptrconv] |
| MITRE CWE | CWE-466, Return of Pointer Value Outside of Expected Range CWE-587, Assignment of a Fixed Address to a Pointer |
Bibliography
| [ISO/IEC 9899:2011] | 6.3.2.3, "Pointers" |
本文转自fatshi51CTO博客,原文链接:http://blog.51cto.com/duallay/1871615 ,如需转载请自行联系原作者
