SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 191

changes.mady.by.user Unknown User (lflynn)

Saved on

compared with

New Version 192

changes.mady.by.user Svyatoslav Razmyslov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Integer truncation errors can lead to buffer overflows and the execution of arbitrary code by an attacker.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

INT31-C

High

Probable

High

P6

L2

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
 

Supported, but no explicit checker
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.CAST.PC.AV
LANG.CAST.PC.CONST2PTR
LANG.CAST.PC.INT

LANG.CAST.COERCE
LANG.CAST.VALUE

ALLOC.SIZE.TRUNC
MISC.MEM.SIZE.TRUNC

LANG.MEM.TBA

Cast: arithmetic type/void pointer
Conversion: integer constant to pointer
Conversion: pointer/integer

Coercion alters value
Cast alters value

Truncation of allocation size
Truncation of size

Tainted buffer access

Compass/ROSE
  


Can detect violations of this rule. However, false warnings may be raised if limits.h is included

Coverity*

Include Page
Coverity_V
Coverity_V

NEGATIVE_RETURNS

REVERSE_NEGATIVE

MISRA_CAST

Can find array accesses, loop bounds, and other expressions that may contain dangerous implied integer conversions that would result in unexpected behavior

Can find instances where a negativity check occurs after the negative value has been used for something else

Can find instances where an integer expression is implicitly converted to a narrower integer type, where the signedness of an integer value is implicitly converted, or where the type of a complex expression is implicitly converted

 Cppcheck
 
Include Page
Cppcheck_V
Cppcheck_V
memsetValueOutOfRangeThe second argument to memset() cannot be represented as unsigned char
Klocwork
Include Page
Klocwork_V
Klocwork_V

PRECISION.LOSS
PRECISION.LOSS.CALL

 


LDRA tool suite
Include Page
LDRA_V
LDRA_V

93 S, 433 S, 434 S

Partially implemented
Polyspace Bug FinderR2016a

Integer conversion overflow, Sign change integer conversion overflow, Tainted sign change conversion, Unsigned integer conversion overflow

 


Overflow when converting between integer types

Overflow when converting between signed and unsigned integers

 Value from an unsecure source changes sign

 Overflow when converting between unsigned integer types

PRQA QA-C++
Include Page
cplusplus:PRQA QA-C++_V
cplusplus:PRQA QA-C++_V

2850, 2851, 2852, 2853, 2855, 2856, 2857, 2858, 2890, 2891, 2892, 2893, 2895, 2896, 2897, 2898, 2900, 2901, 2902, 2903, 2905, 2906, 2907, 2908, 3000, 3010

 

PRQA QA-C
Include Page
PRQA QA-C_v
PRQA QA-C_v

2850, 2851, 2852, 2853,
2900, 2901, 2902, 2903,
2905, 2906, 2907, 2908,
2855, 2856, 2857, 2858,
2890, 2891, 2892, 2893,
2895, 2896, 2897, 2898

Partially implemented
PVS-Studio6.22V569, V642, V724, V739General analysis rule set

* Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

...

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT CDCL03-C. Use a static assertion to test the value of a constant expressionPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CINT18-C. Evaluate integer expressions in a larger size before comparing or assigning to that sizePrior to 2018-01-12: CERT: Unspecified Relationship
CERT CFIO34-C. Distinguish between characters read from a file and EOF or WEOFPrior to 2018-01-12: CERT: Unspecified Relationship
CERT Oracle Secure Coding Standard for JavaNUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted dataPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Numeric Conversion Errors [FLC]Prior to 2018-01-12: CERT: Unspecified Relationship
MISRA C:2012Rule 10.1 (required)Prior to 2018-01-12: CERT: Unspecified Relationship
MISRA C:2012Rule 10.3 (required)Prior to 2018-01-12: CERT: Unspecified Relationship
MISRA C:2012Rule 10.4 (required)Prior to 2018-01-12: CERT: Unspecified Relationship
MISRA C:2012Rule 10.6 (required)Prior to 2018-01-12: CERT: Unspecified Relationship
MISRA C:2012Rule 10.7 (required)Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-192, Integer Coercion Error2017-07-17: CERT: Exact
CWE 2.11CWE-197, Numeric Truncation Error2017-06-14: CERT: Rule subset of CWE
CWE 2.11CWE-681, Incorrect Conversion between Numeric Types2017-07-17: CERT: Rule subset of CWE
CWE 2.11CWE-7042017-07-17: CERT: Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

...

CWE-681 = Union( INT31-C, FLP34-C) Intersection( INT31-C, FLP34-C) = Ø

Bibliography

[Dowd 2006]Chapter 6, "C Language Issues" ("Type Conversions," pp. 223–270)
[ISO/IEC 9899:2011]6.3.1.3, "Signed and Unsigned Integers"
[Jones 2008]Section 6.2.6.2, "Integer Types"
[Seacord 2013b]Chapter 5, "Integer Security"
[Viega 2005]Section 5.2.9, "Truncation Error"
Section 5.2.10, "Sign Extension Error"
Section 5.2.11, "Signed to Unsigned Conversion Error"
Section 5.2.12, "Unsigned to Signed Conversion Error"
[Warren 2002]Chapter 2, "Basics"
[xorl 2009]"CVE-2009-1376: Pidgin MSN SLP Integer Truncation"

...


...