SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 110

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 111

changes.mady.by.user Adrian Trejo Nuñez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Noncompliant Code Example (Static Variables)

This In this noncompliant code example declares sample, the address of local variable str is assigned to the variable p as a pointer to a constant char with , which has file scope. The value of str is assigned to p within the dont_do_this() function. However, str has automatic storage duration, so the lifetime of str ends when the assignment itself is legal, but it is illegal for str to go out of scope while p holds its address, as happens at the end of dont_do_this() function exits.

Code Block
bgColor#FFCCCC
const char *p;
void dont_do_this(void) {
    const char str[] = "This will change";
    p = str; /* dangerous */
    /* ... */
}

void innocuous(void) {
    const char str[] = "Surprise, surprise";
}
/* ... */
dont_do_this();
innocuous();
/* p might be pointing to "Surprise, surprise" */

As a result of this undefined behavior, it is likely that p will refer to the string literal "Surprise, surprise" after the call to the innocuous() function.

Compliant Solution (Similar Scope)

...

Noncompliant Code Example (Return Values)

In this examplenoncompliant code sample, the function init_array() incorrectly returns a pointer to a local stack variable, which could be accessed by the caller.

Code Block
bgColor#FFCCCC
char *init_array(void) {
   char array[10];
   /* Initialize array */
   return array;
}

...

Code Block
bgColor#ccccff
void init_array(char array[]) {
   /* Initialize array */
   return;
}

int main(int argc, char *argv[]) {
   char array[10];
   init_array(array);
   /* ... */
   return 0;
}

Noncompliant Code

In this noncompliant code sample, the function squirrel_away() stores a pointer to local stack variable local into a location pointed to by function parameter ptr_param. Since it an be assumed that the pointer variable to which ptr_param points remains alive upon squirrel_away()'s return, it is illegal for local to go out of scope.void squirrel_away(char **ptr_param) {
char local10;
/* Initialize array */
*ptr_param = local;
}

void rodent() {
char *ptr;
squirrel_away(&ptr);
/* ptr is live but invalid here */
}

Risk Assessment

Referencing an object outside of its lifetime can result in an attacker being able to run arbitrary code.

...

Tool

Version

Checker

Description

Section

LDRA tool suite

Include Page
c:LDRA_V
c:LDRA_V

 

 

Section

Fortify SCA

Section

V. 7.6.0

 

Section

can detect violations when an array is declared in a function and then a pointer to that array is returned

Section

Splint

Include Page
c:Splint_V
c:Splint_V

 

 

Section

Compass/ROSE

 

 

Section

can detect violations of this rule. It automatically detects returning pointers to local variables. Detecting more general cases, such as examples where static pointers are set to local variables which then go out of scope would be difficult.

Section

Coverity Prevent

Include Page
c:Coverity_V
c:Coverity_V
Section

RETURN_LOCAL

Section

finds many instances where a function will return a pointer to a local stack variable. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

Section

Klocwork

Include Page
c:Klocwork_V
c:Klocwork_V
Section

LOCRET.*

 

...