SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 51

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 52

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
Immutable objects should be {{const}}\-qualified.  Enforcing object immutability using {{const}}\-qualification helps ensures the correctness and security of applications.  ISO/IEC PDTR 24772 \[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\], for example, recommends labeling parameters as constant to avoid the unintentional modification of function arguments.  [STR05-A. Prefer making string literals const-qualified] describes a specialized case of this recommendation.

Adding const qualification may propagate through a program; as you add const qualifiers, still more become necessary. This phenomenon is sometimes called "const-poisoning." Const-poisoning can frequently lead to violations of EXP05-A. Do not cast away a const qualification. While const qualification is a good idea, the costs may outweigh the value in the remediation of existing code.

Non-Compliant Code Example

...

Code Block
bgColor#ccccff
const float pi = 3.14159f;
float degrees;
float radians;
/* ... */
radians = degrees * pi / 180;

Non-Compliant Code Example (Immutable Integer Values)

In this non-compliant code example, max is declared as a const-qualified object. While declaring non-integer constants as const-qualified objects is the best that can be done in C, for integer constants we can do better. Declaring immutable integer values as const-qualified objects still allows the programmer to take the address of the object. Also, const-qualified integers cannot be used in locations where an integer constant is required, such as the value of a case constant.

Code Block
bgColor#FFCCCC

const int max = 15;
int a[max]; /* invalid declaration outside of a function */
const int *p;

p = &max; /* a const-qualified object can have its address taken */

Most C compilers allocate memory for const-qualified objects.

Compliant Solution (enum)

This compliant solution declares max as an enumeration constant rather than a const-qualified object or a macro definition.

Code Block
bgColor#ccccff

enum { max = 15 };
int a[max]; /* OK */
const int *p;

p = &max; /* error: '&' on constant */

Risk Assessment

Risk Assessment

Failing to const-qualify immutable Using ordinary variables to hold constants instead of using enumeration constants or const-qualified objects can result in a value intended to be constant being changed modified at runtime.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

DCL00-A

1 (low)

1 (unlikely)

2 1 (mediumhigh)

P2 P1

L3

Related Vulnerabilities

...

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.3.2.1, "Lvalues, arrays, and function designators," Section 6.7.2.2, "Enumeration specifiers," and Section 6.10.3, "Macro replacement"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "CSJ Passing parameters and return values"
\[[Saks 00|AA. C References#Saks 00]\] Dan Saks. [Numeric Literals|http://www.embedded.com/2000/0009/0009pp.htm]. Embedded Systems Programming.  September, 2000.
\[[Summit 05|AA. C References#Summit 05]\] [Question 10.5b|http://c-faq.com/cpp/constvsdefine.html]

...

02. Declarations and Initialization (DCL)      02. Declarations and Initialization (DCL)       DCL01-A. Do not reuse variable names in subscopes