SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 62

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 63

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not make any assumptions about the size of environment variables because an adversary might have full control over the environment. If the environment variable needs to be stored, the length of the associated string should be calculated and the storage dynamically allocated . (See see STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator).)

Noncompliant Code Example

...

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.MEM.BO
LANG.MEM.TO
(general)

Buffer Overrunoverrun
Type Overrunoverrun
CodeSonar's taint analysis includes handling for taint introduced through the environment.

Compass/ROSE

 

 

Can detect violations of the rule by using the same method as STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

MITRE CWECWE-119, Failure to constrain operations within the bounds of an allocated memory buffer

...