SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 128

changes.mady.by.user Liz Whiting

Saved on

compared with

New Version 129

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following sections examine specific operations that are susceptible to unsigned integer wrap. When operating on integer types with less precision than int, integer promotions are applied. The usual arithmetic conversions may also be applied to (implicitly) convert operands to equivalent types before arithmetic operations are performed. Programmers should understand integer conversion rules before trying to implement secure arithmetic operations . (See see INT02-C. Understand integer conversion rules).)

Integer values must not be allowed to wrap, especially if they are used in any of the following ways:

...

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.SIZE.ADDOFLOW
ALLOC.SIZE.IOFLOW
ALLOC.SIZE.MULOFLOW
ALLOC.SIZE.SUBUFLOW
MISC.MEM.SIZE.ADDOFLOW
MISC.MEM.SIZE.BAD
MISC.MEM.SIZE.MULOFLOW
MISC.MEM.SIZE.SUBUFLOW

Addition Overflow overflow of Allocation Sizeallocation size
Integer Overflow overflow of Allocation Sizeallocation size
Multiplication Overflow overflow of Allocation Sizeallocation size
Subtraction Underflow underflow of Allocation Sizeallocation size
Addition Overflow overflow of Sizesize
Unreasonable Size Argumentsize argument
Multiplication Overflow overflow of Sizesize
Subtraction Underflow underflow of Sizesize

Compass/ROSE

 

 

Can detect violations of this rule by ensuring that operations are checked for overflow before being performed. Be mindful of exception INT30-EX2 because it excuses many operations from requiring validation, including all the operations that would validate a potentially dangerous operation. For instance, adding two unsigned ints together requires validation involving subtracting one of the numbers from UINT_MAX, which itself requires no validation because it cannot wrap

Coverity6.5INTEGER_OVERFLOWImplemented

Fortify SCA

5.0

 

Can detect violations of this rule with the CERT C Rule Pack

LDRA tool suite
Include Page
LDRA_V
LDRA_V
493 S, 494 SPartially implemented
PRQA QA-C
Include Page
PRQA QA-C_v
PRQA QA-C_v

2910 (C)
2911 (D)
2912 (A)
2913 (S)

Partially implemented

...

SEI CERT C++ Coding Standard
SEI CERT C Coding Standard

INT02-C. Understand integer conversion rules
ARR30-C. Do not form or use out-of-bounds pointers or array subscripts
ARR36-C. Do not subtract or compare two pointers that do not refer to the same array
ARR37-C. Do not add or subtract an integer to a pointer to a non-array object
CON08-C. Do not assume that a group of calls to independently atomic methods is atomic

VOID INT30-CPP. Ensure that unsigned integer operations do not wrap
ISO/IEC TR 24772:2013Arithmetic Wrap-around Error [FIF]
MITRE CWECWE-190, Integer Overflow or Wraparound

...

[Bailey 2014]Raising Lazarus - The 20 Year Old Bug that Went to Mars
[Dowd 2006]Chapter 6, "C Language Issues" ("Arithmetic Boundary Conditions," pp. 211–223)
[ISO/IEC 9899:2011]Subclause 6.2.5, "Types"
[Seacord 2013b]Chapter 5, "Integer Security"
[Viega 2005]Section 5.2.7, "Integer Overflow"
[VU#551436] 
[Warren 2002]Chapter 2, "Basics"
[Wojtczuk 2008] 
[xorl 2009]"CVE-2009-1385: Linux Kernel E1000 Integer Underflow"

...