SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 192

changes.mady.by.user Jill Britton

Saved on

compared with

New Version 193

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tool

Version

Checker

Description

 
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.MEM.BO
LANG.MEM.TO
MISC.MEM.NTERM
BADFUNC.BO.*

Buffer overrun
Type overrun
No space for null terminator
A collection of warning classes that report uses of library functions prone to internal buffer overflows

 

Compass/ROSE

 

 

Can detect violations of the rule. However, it is unable to handle cases involving strcpy_s() or manual string copies such as the one in the first example

 
Coverity6.5

STRING_OVERFLOW
STRING_SIZE
SECURE_CODING

Fully implemented

 

Fortify SCA

5.0

 

 

 

Klocwork

Include Page
Klocwork_V
Klocwork_V

NNTS.MIGHT
NNTS.MUST
SV.STRBO.BOUND_COPY.OVERFLOW
SV.STRBO.BOUND_COPY.UNTERM
SV.STRBO.BOUND_SPRINTF
SV.STRBO.UNBOUND_COPY
SV.STRBO.UNBOUND_SPRINTF 

 

LDRA tool suite

Include Page
LDRA_V
LDRA_V

489 S, 109 D, 66 X, 70 X, 71 X

Partially implemented

 

Parasoft C/C++test9.5BD-PB-OVERFWR,SECURITY-12  
Polyspace Bug FinderR2016a Guarantee that storage for strings has sufficient space for character data and null terminator 

Splint

Include Page
Splint_V
Splint_V

 

 

 
PRQA QA-C
Include Page
PRQA QA-C_v
PRQA QA-C_v
warncall for 'gets'. 2845, 2846, 2847, 2848, 2849, 5009Partially implemented 

Related Vulnerabilities

CVE-2009-1252 results from a violation of this rule. The Network Time Protocol daemon (NTPd), before versions 4.2.4p7 and 4.2.5p74, contained calls to sprintf that allow an attacker to execute arbitrary code by overflowing a character array [xorl 2009].

...