SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 35

changes.mady.by.user Aaron Ballman

Saved on

compared with

New Version 36

changes.mady.by.user Aaron Ballman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Ensure that restrict-qualified source and destination pointers do not reference overlapping objects when invoking library functions. The standard library functions shown below below are examples of ones that copy memory from a source object referenced by a restrict-qualified pointer to a destination object that is also referenced by a restrict-qualified pointer: 

Standard C
Code Block
void *memcpy(
  void * restrict s1,
  const void * restrict s2,
  size_t n
);
 
char *strcpy(
  char * restrict s1,
  const char * restrict s2
);
 
char *strncpy(
  char * restrict s1,
  const char * restrict s2,
  size_t n
);

char *strcat(
  char * restrict s1,
  const char * restrict s2
);
 
char *strncat(
  char * restrict s1,
  const char * restrict s2, 
  size_t n
);

The Annex K Bounds-checking interfaces functions shown below also copy memory from a source object referenced by a restrict-qualified pointer to a destination object that is also referenced by a restrict-qualified pointer:

...

Annex K
strcpy()strcpy_s()
strncpy()strncpy_s()
strcat()strcat_s()
strncat()strncat_s()
memcpy()memcpy_s()
 strtok_s()

...

If the objects referenced by arguments to functions overlap (meaning the objects share some common memory addresses), the behavior is undefined. See also undefined behavior 68 in Appendix J of the C Standard. The result of the functions is unknown and data may be corrupted. As a result, these functions must never be passed pointers to overlapping objects. If data must be copied between objects that share common memory addresses, a copy function guaranteed to work on overlapping memory, such as memmove(), should be used.

...

Ensure that functions that accept a restrict-qualified pointer to a const-qualified type do not modify the object referenced by that pointer. Formatted input and output standard library functions frequently fit this description. The following is a list of some of the common functions where the format argument is a restrict-qualified pointer to a const-qualified type:

...

:

Standard CAnnex K
printf()printf_s()
scanf()scanf_s()
sprintf()sprintf_s()
snprintf()snprintf_s() 

For formatted output functions such as printf(), it is unlikely that a programmer would modify the format string.  However, an attacker may attempt this if a program violates FIO30-C. Exclude user input from format strings and passes tainted values as part of the format string. 

...

[ISO/IEC 9899:2011]Subclause 6.7.3.1, "Formal Definition of restrict
[Walls 2006]Douglas Walls.  How to Use the Qualifier in C.  Sun ONE Tools Group, Sun Microsystems, July 2003 (revised March 2006)