SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 103

changes.mady.by.user Unknown User (lflynn)

Saved on

compared with

New Version 104

changes.mady.by.user Anirban Gangopadhyay

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added Polyspace Bug Finder

...

Following are the character classification functions that this rule addresses:

isalnum()

isalpha()

isascii()XSI

isblank()

iscntrl()

isdigit()

isgraph()

islower()

isprint()

ispunct()

isspace()

isupper()

isxdigit()

toascii()XSI

toupper()

tolower()

XSI denotes an X/Open System Interfaces Extension to ISO/IEC 9945—POSIX. These functions are not defined by the C Standard.

...

Passing values to character handling functions that cannot be represented as an unsigned char to character handling functions is undefined behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

STR37-C

Low

Unlikely

Low

P3

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
 

Supported, but no explicit checker
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
MISC.NEGCHARNegative character value
Compass/ROSE
  


Could detect violations of this rule by seeing if the argument to a character handling function (listed above) is not an unsigned char

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.STR37

Fully implemented

LDRA tool suite
Include Page
LDRA_V
LDRA_V
663 SFully implemented
Polyspace Bug FinderR2017aMisuse of sign-extended character valueData type conversion with sign extension causes unexpected behavior
PRQA QA-C
Include Page
PRQA QA-C_v
PRQA QA-C_v
4413,4414Fully implemented
PRQA QA-C++ 4.23051 
 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding StandardSTR34-C. Cast characters to unsigned char before converting to larger integer sizesPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Passing arguments to character-handling functions that are not representable as unsigned char [chrsgnext]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-704, Incorrect Type Conversion or Cast2017-06-14: CERT: Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

...

STR37-C excludes mis-ordered function arguments (assuming they pass type-checking), because there is no easy way to reliably detect violations of CWE-683.

Bibliography

[ISO/IEC 9899:2011]7.4, "Character Handling <ctype.h>"
[Kettlewell 2002]Section 1.1, "<ctype.h> and Characters Types"

...


...