SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 97

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 98

changes.mady.by.user Astha Singhal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

The size_t type is the unsigned integer type of the result of the sizeof operator. Variables of type size_t are guaranteed to be of sufficient precision to represent the size of an object. The limit of size_t is specified by the SIZE_MAX macro.

Wiki MarkupThe type {{size_t}} generally covers the entire address space. ISO/IEC TR 24731-1-2007 introduces a new type {{rsize_t}}, defined to be {{size_t}} but explicitly used to hold the size of a single object \ [[Meyers 2004|AA. Bibliography#Meyers 2004]\]. In code that documents this purpose by using the type {{rsize_t}}, the size of an object can be checked to verify that it is no larger than {{RSIZE_MAX}}, the maximum size of a normal single object, which provides additional input validation for library functions. See recommendation [STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code] for additional discussion of TR 24731-1.

Any variable that is used to represent the size of an object, including integer values used as sizes, indices, loop counters, and lengths, should be declared rsize_t, if available. Otherwise, it should be declared size_t.

...

sizeof(size_t) == sizeof(int)

Wiki MarkupThe unsigned {{n}} may contain a value greater than {{INT_MAX}}. Assuming quiet wraparound on signed overflow, the loop executes {{n}} times because the comparison {{i < n}} is an unsigned comparison. Once {{i}} is incremented beyond {{INT_MAX}}, {{i}} takes on negative values starting with ({{INT_MIN}}). Consequently, the memory locations referenced by {{p\[i\]}} precede the memory referenced by {{p}} and a write-outside-array bounds occurs.

sizeof(size_t) > sizeof(int)

...

For values of n where INT_MAX < n <= (size_t)INT_MIN, the loop executes INT_MAX times. Once i becomes negative the loop stops, and i remains in the range 0 through INT_MAX.unmigrated-wiki-markup

For values of {{n}} where {{(size_t)INT_MIN < n <= SIZE_MAX}}, {{i}} wraps and takes the values {{INT_MIN}} to {{INT_MIN + (n - (size_t)INT_MIN - 1)}}. Execution of the loop overwrites memory from {{p\[INT_MIN\]}} through {{p\[INT_MIN + (n - (size_t)INT_MIN - 1)\]}}.

Compliant Solution (TR 24731-1)

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT01-C

medium

probable

medium

P8

L2

Automated Detection

Tool

Version

Checker

Description

Section

Fortify SCA

Section

V. 5.0

 

Section

will detect integer operations that cause overflow, but not all cases where size_t is not used

Section

Splint

Include Page
c:Splint_Vc:
Splint_V

 

 

Section

Compass/ROSE

 

 

Section

can detect violations of this recommendation. In particular, it catches comparisons and operations where one operand is of type size_t or rsize_t and the other is not

Section

LDRA tool suite

Include Page
c:LDRA_Vc:
LDRA_V
Section

93 S

Section

Fully Implemented

...

ISO/IEC TR 24731-1:2007

Bibliography

Wiki Markup\[[Meyers 2004|AA. Bibliography#Meyers 2004]\]

...

      04. Integers (INT)