C++ allows the traditional C-style casts, although it has introduced its own casts:
static_cast<type>(expression)
const_cast<type>(expression)
dynamic_cast<type>(expression)
reinterpret_cast<type>(expression)
C++ casts allow for more compiler checking and thus are considerably safer to use. They are also easier to find in source code (either by tools or by human readers).
Non-Compliant Code Example (static_cast()
)
In this example, a C-style cast is used to convert an int
to a double
:
Compliant Solution (static_cast()
)
Using the new cast, the division should be written as:
This code is safer (as the compiler can check that it really is a static type conversion), and the cast is easier to find.
Non-Compliant Code Example (const_cast()
)
In this example, a C-style cast is used to remove the const
ness of a function parameter:
Compliant Solution (const_cast()
)
Using the new cast, the function call should be written as:
Again, this is safer (as the compiler can check that the only conversion is to remove the const
ness), and it is easier to find.
Note that this code runs afoul of .
The const_cast
may also be used to cast away volatility, but that is forbidden by .
Non-Compliant Code Example (dynamic_cast()
)
In this example, a C-style cast is used to convert a type in an inheritance heirarchy:
Compliant Solution (dynamic_cast()
)
Using the new cast, the function call should be written as:
In this case, the compiler can check that it really is a conversion between two types in the same inheritance heirarchy.
Non-Compliant Code Example (reinterpret_cast()
)
In this example, a C-style cast is used to convert a double
function pointer to an int
function pointer:
Compliant Solution (reinterpret_cast()
)
Using the new cast, the assignment should be written as:
Once again, the compliant code has the advantage that the cast is much more visible than if a C-style cast is used (although the compiler is not able to check much in the case of a reinterpret_cast
).
Risk Assessment
Using C-style casts can lead to type errors because the compiler is unable to apply the checking that is possible when using the more restrictive C++ casts. Type errors could lead to an attacker being able to execute arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP05-CPP | high | probable | medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
| 1.2 | CP1.EXP05 | Fully implemented |
v3.2 | 3080,3082 |