SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 75

changes.mady.by.user Aaron Ballman

Saved on

compared with

New Version 76

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

C library functions that make changes to arrays or objects usually take at least two arguments: a pointer to the array or object and an integer indicating the number of elements or bytes to be manipulated. If the arguments are supplied improperly during such a function call, the function may cause the pointer to not point to the object at all or to point past the end of the object, leading to undefined behavior.

Definitions

The C Secure Coding Rules Draft Technical Specification [ISO/IEC TS 17961] defines the following terms:

Given an integer expression E, the derived type T of E is determined as follows:

  • if E is a sizeof expression then T is the type of the operand of the expression,
  • otherwise, if E is an identifier, then T is the derived type of the expression last used to store a value in E,
  • otherwise, if the derived type of each of E's subexpressions is the same, then T is that type,
  • otherwise, the derived type is an unspecified character type compatible with any of char, signed char, and unsigned char.

EXAMPLE For the following declarations:

Code Block
langc
double a[40];
size_t n0 = sizeof (int);
size_t n1 = 256;
size_t n2 = sizeof a / sizeof (*a);

The the derived type of n0 is int, and the derived type of n1 and n2 is a (hypothetical) unspecified character type that is compatible with any of char, signed char, and unsigned char.

...

The effective size of a pointer is the size of the object to which it points.

In the following code:,

Code Block
int arr[5];
int *p = arr;

...

In this example, the effective type of p is char. The type of q's type is not declared, but it is later assigned obj. The effective type of q is therefore equal to the effective type of obj.

Standard Library Functions

Following is an incomplete list of C library functions to which this rule applies.

Library Functions That Take a Pointer and Integer

The following standard library functions take a pointer argument and a size argument, with the constraint that the pointer must point to a valid memory object of at least the number of bytes or wide characters (as appropriate) indicated by the size argument.

fgets()

fread()*

fwrite()*

mblen()

memchr()

memset()

fgetws()

wmemchr()

wmemset()

mbrlen()

tmpnam_s()

gets_s()

getenv_s()

memset_s()

strerror_s()

strnlen_s()

asctime_s()

ctime_s()

wcscpy_s()

wcsncpy_s()

wmemcpy_s()

wmemmove_s()

wcscat_s()

wcsncat_s()

wcsnlen_s()

 

 

 

Library Functions That Take Two Pointers and an Integer

The following standard library functions take two pointer arguments and a size argument, with the constraint that both pointers must point to valid memory objects of at least the number of bytes or wide characters as appropriate, indicated by the size argument.

mbtowc()

wctomb()

mbtowcs()

wcstombs()

memcpy()

memmove()

strncpy()

strncat()

memcmp()

strncmp()

strxfrm()

mbrtoc16()

mbrtoc32()

wcsncpy()

wmemcpy()

wmemmove()

wcsncat()

wcsncmp()

wcsxfrm()

wmemcmp()

mbrtowc()

wcrtomb()

mbsrtowcs()

wcsrtombs()

wctomb_s()

mbtowcs_s()

wcstombs_s()

memcpy_s()

memmove_s()

strcpy_s()

strncpy_s()

strcat_s()

strncat_s()

wcscpy_s()

wcsncpy_s()

wmemcpy_s()

wmemmove_s()

wcscat_s()

wcsncat_s()

wcrtomb_s()

mbsrtowcs_s()

wcsrtombs_s()

 

 

 Library Functions That Take a Pointer and Two Integers

The following standard library functions take a pointer argument and two size arguments, with the constraint that the pointer must point to a valid memory object containing at least as many bytes as the product of the two size arguments.

bsearch()

qsort()

bsearch_s()

qsort_s()

Standard Memory Allocation Functions

The following are the standard memory allocation functions that take a size integer argument and return a pointer.

aligned_alloc()

calloc()

malloc()

realloc()

Other Library Functions

memcpy()

memmove()

vsnprintf()

vswprintf()swprintf()

strftime()

strxfrm()

snprintf()

 

...

the programmer must ensure that the object referenced by ptr is at least (size * count) bytes.

Description

To guarantee that a library function does not construct an out-of-bounds pointer, programmers must heed the following rules when using functions that operate on pointed-to regions. These rules assume that func is a function, p and q are pointers, and n is an integer.

...

Code Block
bgColor#ccccff
#include <stdlib.h>
#include <string.h>
 
void f1(size_t nchars, size_t val) {
  char *p = (char *)malloc(nchars);
  const size_t n = val;

  if (nchars < n) {
    /* Handle Errorerror */
  } else {
    memset(p, 0, n);
  }
}

...

Code Block
bgColor#FFcccc
#include <string.h>
 
void f2() {
  const size_t ARR_SIZE = 4;
  float a[ARR_SIZE];
  const size_t n = sizeof(int) * ARR_SIZE;
  void *p = a;

  memset(p, 0, n);
}

Note: Although Although it is noncompliant, this code has no ill effects on architectures where sizeof(int) is equal to sizeof(float).

...

Code Block
bgColor#FFcccc
#include <string.h>
 
void f3(int *a) {
  float b = 3.14;
  const size_t n = sizeof(b);
  void *p = a;
  void *q = &b;

  memcpy(p, q, n);
}

Note: Although Although it is noncompliant, this code does not constitute a vulnerability on implementations where sizeof(int) is equal to sizeof(float).

...

Code Block
bgColor#FFcccc
#include <string.h>
 
void f4(char p[], const char *q) {
  const size_t n = sizeof(p); 
  if ((memcpy(p, q, n)) == p) {  /* violationViolation */
  }
}

Compliant Solution

This compliant solution ensures that n is equal to the size of the character array:

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR38-C

Highhigh

Likelylikely

Mediummedium

P18

L1

Automated Detection

Tool

Version

Checker

Description

PRQA QA-C
Include Page
PRQA_V
PRQA_V
 2931Fully implemented

...

C Secure Coding StandardAPI00-C. Functions should validate their parameters
ISO/IEC TS 17961 (Draft)Forming invalid pointers by library functions [libptr]

...