...
Ensure that restrict-qualified source and destination pointers do not reference overlapping objects when invoking library functions. For example, the following table lists C standard library functions that copy memory from a source object referenced by a restrict-qualified pointer to a destination object that is also referenced by a restrict-qualified pointer:
| Standard C | Annex K |
|---|---|
strcpy() | strcpy_s() |
strncpy() | strncpy_s() |
strcat() | strcat_s() |
strncat() | strncat_s() |
memcpy() | memcpy_s() |
strtok_s() |
If the objects referenced by arguments to functions overlap (meaning the objects share some common memory addresses), the behavior is undefined. (See also undefined behavior 68.) The result of the functions is unknown, and data may be corrupted. As a result, these functions must never be passed pointers to overlapping objects. If data must be copied between objects that share common memory addresses, a copy function guaranteed to work on overlapping memory, such as memmove(), should be used.
...
Ensure that functions that accept a restrict-qualified pointer to a const-qualified type do not modify the object referenced by that pointer. Formatted input and output standard library functions frequently fit this description. The following table lists of some of the common functions for which the format argument is a restrict-qualified pointer to a const-qualified type.
| Standard C | Annex K |
|---|---|
printf() | printf_s() |
scanf() | scanf_s() |
sprintf() | sprintf_s() |
snprintf() | snprintf_s() |
For formatted output functions such as printf(), it is unlikely that a programmer would modify the format string. However, an attacker may attempt to do so if a program violates FIO30-C. Exclude user input from format strings and passes tainted values as part of the format string.
...
The incorrect use of restrict-qualified pointers can result in undefined behavior that might be exploited to cause data integrity violations.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP43-C | Medium | Probable | High | P4 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
Tool | Version | Checker | Description | ||||
|---|---|---|---|---|---|---|---|
| Astrée |
|
| Supported, but no explicit checker | |||||||||
| CodeSonar |
| LANG.TYPE.RESTRICT | Restrict qualifier used | ||||||
| Coverity |
| MISRA C 2012 Rule 8.14 | Partially implemented | ||||||
| LDRA tool suite |
| 480 S, 489 S, 613 S | Enhanced enforcement | ||||||
| Parasoft C/C++test |
|
|
| CODSTA-121 | Fully implemented | ||||||
| Polyspace Bug Finder | R2016a | Copy of overlapping memory | Source and destination arguments of a copy function have overlapping memory | |||||
| PRQA QA-C |
| 1057 |
| SonarQube C/C++ Plugin |
| S1836 | Implements MISRA C:2012 Rule 8.14 to flag uses of restrict |
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | FIO30-C. Exclude user input from format strings | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Passing Parameters and Return Values [CSJ] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961 | Passing pointers into the same object as arguments to different restrict-qualified parameters [restrict] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| MISRA C:2012 | Rule 8.14 (required)1 | Prior to 2018-01-12: CERT: Unspecified Relationship |
- MISRA Rule 8.14 prohibits the use of the restrict keyword except in C standard library functions.
Bibliography
| [ISO/IEC 9899:2011] | 6.7.3.1, "Formal Definition of restrict" |
| [Walls 2006] |
...
...