SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 61

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 62

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

C library functions that make changes to arrays or objects usually take at least two arguments: a pointer to the array or object and an integer indicating the number of elements or bytes to be manipulated. If the arguments are supplied improperly during such a function call, the function may cause the pointer to not point to the object at all or to point past the end of the object, leading to undefined behavior.

Definitions

Wiki MarkupThe C Secure Coding Rules Draft Technical Specification \ [SD:ISO/IEC 2011\] defines the following terms:

Given an integer expression E, the derived type T of E is determined as follows:

  • if E is a sizeof expression then T is the type of the operand of the expression,
  • otherwise, if E is an identifier, then T is the derived type of the expression last used to store a value in E,
  • otherwise, if the derived type of each of E's subexpressions is the same, then T is that type,
  • otherwise, the derived type is an unspecified character type compatible with any of char, signed char, and unsigned char.

EXAMPLE For the following declarations:

Code Block
langc
double a[40];
size_t n0 = sizeof (int);
size_t n1 = 256;
size_t n2 = sizeof a / sizeof (*a);

The derived type of n0 is int, and the derived type of n1 and n2 is a (hypothetical) unspecified character type that is compatible with any of char, signed char, and unsigned char.

...

Noncompliant Code Example

...

In this noncompliant code example, the effective type of {{\*p}} is {{float}}, and the derived type of the expression {{n}} is {{int}}. This is calculated using the first rule from N1579's \ [SD:1\] definition of derived types (see Definitions section). Because {{n}} contains the result of a {{sizeof}} expression, its derived type is equal to the type of the operand, which is {{int}}.

Code Block
bgColor#FFcccc
void f2() {
  const size_t ARR_SIZE = 4;
  float a[ARR_SIZE];
  const size_t n = sizeof(int) * ARR_SIZE;
  void *p = a;

  memset(p, 0, n);
  /* ... */
}

...

Noncompliant Code Example

Wiki MarkupIn this noncompliant code example, the value of {{n}} is greater than the size of {{T}}, that is, {{sizeof(wchar_t)}}. But the derived type of expression {{n}} ({{wchar_t *}}) is not the same as the type of {{T}} because its derived type (see Definitions section) will be equal to the type of {{p}}, which is {{wchar_t\*}}. The derived type of {{n}} is calculated using the first rule from N1579's \ [SD:1\] definition of derived types (see Definitions section). Because {{n}} here is a {{sizeof}} expression, its derived type is equal to the type of the operand ({{p}}), which is {{wchar_t *}}.

Code Block
bgColor#FFcccc
wchar_t *f4() {
  const wchar_t *p = L"Hello, World!";
  const size_t n = sizeof(p) * (wcslen(p) + 1);

  wchar_t *q = (wchar_t*) malloc(n);
  return q;
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR38-C

high

likely

medium

P18

L1

Related Guidelines

API00-C. Functions should validate their parameters (https://www.securecoding.cert.org/confluence/display/seccode/API00-C.+Functions+should+validate+their+parameters)

N1579: N1579, Rule 5.34 Forming invalid pointers by library functions

Bibliography

...

\[SD:ISO/IEC 2011\] ISO/IEC. N1579 Information Technology — — Programming languages, their environments and system software interfaces — — C Secure Coding Rules C Secure Coding Rules. September, 2011.