SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 90

changes.mady.by.user Liz Whiting

Saved on

compared with

New Version 91

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The signature is similar to strcpy() but takes an extra argument of type rsize_t that specifies the maximum length of the destination buffer. Functions that accept parameters of type rsize_t diagnose a constraint violation if the values of those parameters are greater than RSIZE_MAX. Extremely large object sizes are frequently a sign that an object's size was calculated incorrectly. For example, negative numbers appear as very large positive numbers when converted to an unsigned type like size_t. For those reasons, it is sometimes beneficial to restrict the range of object sizes to detect errors. For machines with large address spaces, the C Standard, Annex K, recommends that RSIZE_MAX be defined as the smaller of the size of the largest object supported or (SIZE_MAX >> 1), even if this limit is smaller than the size of some legitimate, but very large, objects . See (see also INT01-C. Use rsize_t or size_t for all integer values representing the size of an object).

The semantics of strcpy_s() are similar to the semantics of strcpy(). When there are no input validation errors, the strcpy_s() function copies characters from a source string to a destination character array up to and including the terminating null character. The function returns 0 on success.

...

This compliant solution performs some of the checking at compile time using a static assertion . (See see DCL03-C. Use a static assertion to test the value of a constant expression).)

Code Block
bgColor#ccccff
langc
void complain(const char *msg) {
  errno_t err;
  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFSIZ];

  /* 
   * Ensure that more than one character
   * is available for msg
   */
  static_assert(sizeof(buf) > sizeof(prefix) + sizeof(suffix),
                "Buffer for complain() is too small");
  strcpy(buf, prefix);

  err = strcat_s(buf, sizeof(buf), msg);
  if (err != 0) {
    /* Handle error */
  }

  err = strcat_s(buf, sizeof(buf), suffix);
  if (err != 0) {
    /* Handle error */
  }
  fputs(buf, stderr);
}

...

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.BO.OEMTOCHAR

BADFUNC.BO.STRCAT

BADFUNC.BO.STRCATCHAINW
BADFUNC.BO.STRCMP

BADFUNC.BO.STRCPY

BADFUNC.BO.STRLEN

BADFUNC.BO.STRTRNS

Use of OemToAnsi, Use use of OemToChar (both include checks for uses of similar functions)
Use of strcat (includes checks for uses of similar library functions such as StrCatA(), wcscat(), etc.)
Use of StrCatChainW
Use of strcmp (includes checks for uses of similar library functions such as lstrcmp())
Use of strcpy (includes checks for uses of similar library functions such as StrCCpy(), wcscpy(), etc.)
Use of strlen (includes checks for uses of similar library functions such as lstrlen())
Use of strtrns

LDRA tool suite

Include Page
LDRA_V
LDRA_V

44 S

Enhanced Enforcementenforcement

PRQA QA-C
Include Page
PRQA QA-C_v
PRQA QA-C_v
Warncall -wc strcpy
-wc strcat
-wc strncpy
-wc strncat		Partially implemented

...