SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 128

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 129

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP33-C

high

probable

medium

P12

L1

Automated Detection

LDRA tool suite

include

sectionSplint_V

Can detect some   violations of this rule when the -Wuninitialized flag is used.

section

. 5.0

NO_EFFECT

Can find cases of   an uninitialized variable being used before it is initialized, although
it cannot detect cases of uninitialized members of a struct.

Because Coverity

Because Coverity Prevent
cannot discover all

violations of

violations of this rule further verification is necessary.

section

Tool

Version

Checker

Description

Section
LDRA_VLDRA_V

V. 8.5.4

57 D

69 D

section

Fully implemented

section

.

Fortify SCA

 

 

section

Can detect violations of this rule, but will return false positives if the initialization
was done in

another function

another function.

section

Splint

Include Page
Splint_V

V. 3.1.1

 

 

section

GCC

Include Page
GCC_VGCC_V

 

V. 4.3.5

 

Section

Compass/ROSE

 

 

section

Automatically   detects simple violations of this rule, although it may return some false
positives. It may not catch more complex violations, such as initialization within
functions taking uninitialized variables as arguments. It does catch the second
noncompliant code example, and can be extended to catch the

first as

first as well.

section

Coverity Prevent

include

Coverity

_

V

Coverity_V
Section
Section

Klocwork

include

Klocwork_VKlocwork_Vsection

V. 9.1

UNINIT.HEAP.MIGHT
UNINIT.HEAP.MUST
UNINIT.STACK.ARRAY.MIGHT
UNINIT.STACK.ARRAY.MUST
UNINIT.STACK.ARRAY.PARTIAL.MUST
UNINIT.STACK.MUST

 

 

Related Vulnerabilities

CVE-2009-1888 results from a violation of this recommendation. Some versions of SAMBA (up to 3.3.5) call a function which takes in two potentially unitiliazed variables involving access rights. An attacker can exploit this to bypass the access control list and gain access to protected files [xorl 2009].

...