C Programming – How Using #define for Loop and Condition Bounds Increases Security

cprogramming practicesSecurity

My program uses the following define statements:

#define LOWEST_PATIENT_ID 10000
#define HIGHEST_PATIENT_ID 99999
#define LOWEST_CRITICAL_STATUS 1
#define HIGHEST_CRITICAL_STATUS 100

used in this type of code:

do{
   scanf("%d", &c_status);
   }while((c_status<LOWEST_CRITICAL_STATUS)
           ||(c_status>HIGHEST_CRITICAL_STATUS));

I'm unclear about how this is more secure. or is it the typedef statement that is secure?

Best Answer

Indexes, limits, bounds, etc., are always security-related with C code because of overflow exploit issues. Specifically, if you get the number wrong, you code is a candidate for exploitation.

Assigning the constant to a symbol does two things: it makes the number easier to verify in a review because it's immediately obvious what the number means, and more importantly, it ensures that every time you use the number in your code, you're using the SAME value.

Imagine, for example, where the number represents the length of the input field, and at some point you increase that length to accommodate larger names. If you've specified the value numerically in your code, you have to go track down every instance of that number and replace it, but only if the instance of that number represents your specific field (you can't just use search and replace to change every instance of 128 to 256 because the number could mean different things).

Furthermore, in some instances you may be using N+1 (e.g. to allow for termination), so you'd have to track down every instance of 128 and every instance of 129. And was there a reason to specify 130 as well? Oh, now it's difficult to remember. But don't miss any of them of you'll create a classic buffer overflow exploit.

If instead you just did #define FIRST_NAME_LENGTH 128 in one of your include files, and keyed all the corresponding values off that, then you can just change the number once and be done with it.

This is true even in instances where you only use the number once, because while you're CURRENTLY only using the number once, someone may need to extend the code in the future.

This is such an important issue that you should have been taught from day 1 to avoid "magic numbers" in your code. If the number "means" something, then you should make its meaning explicit.

Related Solutions

C/C++ Programming Practices – Typedefs and #defines

A typedef is generally preferred unless there's some odd reason that you specifically need a macro.

macros do textual substitution, which can do considerable violence to the semantics of the code. For example, given:

#define MYINTEGER int

you could legally write:

short MYINTEGER x = 42;

because short MYINTEGER expands to short int.

On the other hand, with a typedef:

typedef int MYINTEGER:

the name MYINTEGER is another name for the type int, not a textual substitution for the keyword "int".

Things get even worse with more complicated types. For example, given this:

typedef char *char_ptr;
char_ptr a, b;
#define CHAR_PTR char*
CHAR_PTR c, d;

a, b, and c are all pointers, but d is a char, because the last line expands to:

char* c, d;

which is equivalent to

char *c;
char d;

(Typedefs for pointer types are usually not a good idea, but this illustrates the point.)

Another odd case:

#define DWORD long
DWORD double x;     /* Huh? */

C++ – Using C Expressions in C++ Code

No, it's a bad habit. When you do this for a living, you'll likely end up violating style guides that your team adheres to (or at least get whacked during code reviews).

Yes it works, but if there's a c++ equivalent, use it. (e.g. try not to mix printfs with couts)

Best Answer

Related Solutions

C/C++ Programming Practices – Typedefs and #defines

C++ – Using C Expressions in C++ Code

Related Topic