SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 73

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 74

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expresses either the size of an object with an effective type, or the number of bytes allocated for such an object.

For an object with an effective type T the effective size of the object is the result of the sizeof(T) expression. For an object with no effective type (for example, an object for which space has just been allocated by a call to malloc(N)), the effective size is the number of bytes allocated for it (that is, N).

EXAMPLE 1 The effective size of *p refers to the effective size of the object or space referenced by p minus the offset of p from the beginning of the space or object, respectively.

EXAMPLE 2 For the following declarations

Code Block
langc
int a[5];
void *p = a + 2;

the effective size of *p is equal to sizeof(a - 2) * sizeof(*a), or 12 when sizeof(int) is 4.

The effective size of a pointer is the size of the object to which it points.

...

the effective size of the pointer p is sizeof(arr), that is, 5*sizeof(int).

The effective type of an object is defined as either its declared type or (if its type isn't declared) the effective type of the value assigned to it.

...

Following is an incomplete list of C library functions to which this rule applies.

Library functions that take a pointer and integerFunctions That Take a Pointer and Integer

The following standard library functions take a pointer argument and a size argument, with the constraint that the pointer must point to a valid memory object of at least the number of bytes or wide characters (as appropriate) indicated by the size argument.

fgets()

fread()*

fwrite()*

mblen()

memchr()

memset()

fgetws()

wmemchr()

wmemset()

mbrlen()

tmpnam_s()

gets_s()

getenv_s()

memset_s()

strerror_s()

strnlen_s()

asctime_s()

ctime_s()

wcscpy_s()

wcsncpy_s()

wmemcpy_s()

wmemmove_s()

wcscat_s()

wcsncat_s()

wcsnlen_s()

 

 

 

Library functions that take two pointers Functions That Take Two Pointers and an integerInteger

The following standard library functions take two pointer arguments and a size argument, with the constraint that both pointers must point to valid memory objects of at least the number of bytes or wide characters as appropriate, indicated by the size argument.

mbtowc()

wctomb()

mbtowcs()

wcstombs()

memcpy()

memmove()

strncpy()

strncat()

memcmp()

strncmp()

strxfrm()

mbrtoc16()

mbrtoc32()

wcsncpy()

wmemcpy()

wmemmove()

wcsncat()

wcsncmp()

wcsxfrm()

wmemcmp()

mbrtowc()

wcrtomb()

mbsrtowcs()

wcsrtombs()

wctomb_s()

mbtowcs_s()

wcstombs_s()

memcpy_s()

memmove_s()

strcpy_s()

strncpy_s()

strcat_s()

strncat_s()

wcscpy_s()

wcsncpy_s()

wmemcpy_s()

wmemmove_s()

wcscat_s()

wcsncat_s()

wcrtomb_s()

mbsrtowcs_s()

wcsrtombs_s()

 

 

 Library functions that take a pointer and two integersFunctions That Take a Pointer and Two Integers

The following standard library functions take a pointer argument and two size arguments, with the constraint that the pointer must point to a valid memory object containing at least as many bytes as the product of the two size arguments.

bsearch()

qsort()

bsearch_s()

qsort_s()

Standard memory allocation functionsMemory Allocation Functions

The following are the standard memory allocation functions that take a size integer argument and return a pointer.

...

This noncompliant code example assigns a value greater than the size of available memory to n, which is then passed to memset().:

Code Block
bgColor#FFcccc
void f1(size_t nchars) {
  char *p = (char *)malloc(nchars);
  const size_t n = nchars + 1;

  memset(p, 0, n);
  /* ... */
}

...

In this compliant solution, the derived type of n is also float.:

Code Block
bgColor#ccccff
void f2() {
  const size_t ARR_SIZE = 4;
  float a[ARR_SIZE];
  const size_t n = sizeof(float) * ARR_SIZE;
  void *p = a;

  memset(p, 0, n);
  /* ... */
}

...

This compliant solution ensures that the value of n is not greater than the minimum of the effective sizes of *p and *q and that the effective types of the two pointers are identical (float).:

Code Block
bgColor#ccccff
void f3(float *a, size_t val) {
  float b = 3.14;
  const size_t n = val;
  void *p = a;
  void *q = &b;

  if( (n > sizeof(a)) || (n > sizeof(b)) ) {
    /* Handle error */
  } else {
    memcpy(p, q, n);
    /* ... */
  }
}

...

This compliant solution ensures that the derived type of n (wchar_t) is the same as the type of T (wchar_t) and that the value of n is not less than the size of T.:

Code Block
bgColor#ccccff
wchar_t *f4() {
  const wchar_t *p = L"Hello, World!";
  const size_t n = sizeof(wchar_t) * (wcslen(p) + 1);

  wchar_t *q = (wchar_t*) malloc(n);
  return q;
}

...

In this noncompliant example, a diagnostic is required because the value of n is not computed correctly, allowing a possible write past the end of the object referenced by p.:

Code Block
bgColor#FFcccc
void f4(char p[], const char *q) {
  const size_t n = sizeof(p); 
  if ((memcpy(p, q, n)) == p) {  /* violation */
    /* ... */
  }
 
  /* ... */
}

...

This compliant solution ensures that n is equal to the size of the character array.:

Code Block
bgColor#ccccff
void f4(char p[], const char *q, size_t size_p) {
  const size_t n = size_p; 
  if ((memcpy(p, q, n)) == p) {  
    /* ... */
  }
 
  /* ... */
}

...

C Secure Coding StandardAPI00-C. Functions should validate their parameters
ISO/IEC TS 17961 (Draft)Forming invalid pointers by library functions [libptr]

Bibliography

[ISO/IEC TS 17961]Programming Languages,Their Environments and System Software Interfaces

 

...