SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 99

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 100

changes.mady.by.user Arthur Hicken

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: font

...

String-handling functions defined in the C Standard, subclause 7.24, and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Proper use of the C11 Annex K functions can eliminate most of these issues.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

STR07-C

High

Probable

Medium

P12

L1

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.BO.OEMTOCHAR

BADFUNC.BO.STRCAT

BADFUNC.BO.STRCATCHAINW
BADFUNC.BO.STRCMP

BADFUNC.BO.STRCPY

BADFUNC.BO.STRLEN

BADFUNC.BO.STRTRNS

Use of OemToAnsi, use of OemToChar (both include checks for uses of similar functions)
Use of strcat (includes checks for uses of similar library functions such as StrCatA(), wcscat(), etc.)
Use of StrCatChainW
Use of strcmp (includes checks for uses of similar library functions such as lstrcmp())
Use of strcpy (includes checks for uses of similar library functions such as StrCCpy(), wcscpy(), etc.)
Use of strlen (includes checks for uses of similar library functions such as lstrlen())
Use of strtrns

LDRA tool suite
Include Page
LDRA_V
LDRA_V

44 S

Enhanced enforcement

Parasoft C/C++test
Include Page
c:
Parasoft_V
c:
Parasoft_V
SECURITY-13
 

Parasoft Insure++
  


Runtime analysis
Polyspace Bug FinderR2016a

Use of dangerous standard function

Destination buffer overflow in string manipulation

Dangerous functions cause possible buffer overflow in destination buffer

Function writes to buffer at offset greater than buffer size

PRQA QA-C
Include Page
PRQA QA-C_v
PRQA QA-C_v
5008Partially implemented
SonarQube C/C++ Plugin
Include Page
SonarQube C/C++ Plugin_V
SonarQube C/C++ Plugin_V
S1081
 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

ISO/IEC TR 24731-2:2010
 

ISO/IEC TR 24772:2013Use of Libraries [TRJ]

Bibliography

[Seacord 2005b]"Managed String Library for C, C/C++"
[Seacord 2013]Chapter 2, "Strings"

 


...