SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 125

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 126

changes.mady.by.user Astha Singhal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Wiki MarkupLocal, automatic variables can assume unexpected values if they are used before they are initialized. C99 specifies, "If an object that has automatic storage duration is not initialized explicitly, its value is [indeterminate| BB. Definitions#indeterminate value]" \ [[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\]. (See also [undefined behavior 10| CC. Undefined Behavior#ub_10] of Annex J.)

In the common case, on implementations that make use of a program stack, this value defaults to whichever values are currently stored in stack memory. While uninitialized memory often contains zeroes, this is not guaranteed. On implementations that include trap representations, reading an uninitialized object of any type other than unsigned char (including int) may trigger a trap. (See undefined behavior 11 of Annex J.) Consequently, uninitialized memory can cause a program to behave in an unpredictable or unplanned manner, lead to undefined behavior , and can provide an avenue for attack.

...

Noncompliant Code Example

Wiki MarkupIn this noncompliant code example, the programmer mistakenly fails to set the local variable {{error_log}} to the {{msg}} argument in the {{report_error()}} function \ [[Mercy 2006|AA. Bibliography#mercy 06]\]. Because {{error_log}} has not been initialized, on architectures making use of a program stack, it assumes the value already on the stack at this location, which is a pointer to the stack memory allocated to the {{password}} array. The {{sprintf()}} call copies data in {{password}} until a null byte is reached. If the length of the string stored in the {{password}} array is greater than the size of the {{buffer}} array, a buffer overflow occurs.

Code Block
bgColor#FFCCCC
langc
#include <stdio.h>
#include <ctype.h>
#include <string.h>

int do_auth(void) {
  char *username;
  char *password;

  /* Get username and password from user, return -1 if invalid */
}

void report_error(const char *msg) {
  const char *error_log;
  char buffer[24];

  sprintf(buffer, "Error: %s", error_log);
  printf("%s\n", buffer);
}

int main(void) {
  if (do_auth() == -1) {
    report_error("Unable to login");
  }
  return 0;
}

...

Tool

Version

Checker

Description

Section

LDRA tool suite

Include Page
c:LDRA_Vc:
LDRA_V
Section

57 D
69 D

Section

Fully Implemented

Section

Fortify SCA

 

 

Section

can detect violations of this rule, but will return false positives if the initialization was done in another function.

Section

Splint

Include Page
c:Splint_Vc:
Splint_V

 

 

Section

GCC

Include Page
c:GCC_Vc:
GCC_V

 

Section

can detect some violations of this rule when the -Wuninitialized flag is used.

Section

Compass/ROSE

 

 

Section

automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well.

Section

Coverity Prevent

Include Page
c:Coverity_Vc:
Coverity_V
Section

NO_EFFECT

Section

can find cases of an uninitialized variable being used before it is initialized, although it cannot detect cases of uninitialized members of a struct. Because Coverity Prevent cannot discover all violations of this rule further verification is necessary.

Section

Klocwork

Include Page
c:Klocwork_Vc:
Klocwork_V
Section

UNINIT.HEAP.MIGHT UNINIT.HEAP.MUST UNINIT.STACK.ARRAY.MIGHT UNINIT.STACK.ARRAY.MUST UNINIT.STACK.ARRAY.PARTIAL.MUST UNINIT.STACK.MUST

 

...

ISO/IEC TR 24772 "LAV Initialization of Variables"

Bibliography

...

\[[Flake 2006|AA. Bibliography#Flake 06]\] \[[Mercy 2006|AA. Bibliography#mercy 06]\] \[[xorl 2009|AA. Bibliography#xorl 2009]\] []
[Mercy 2006]
[xorl 2009] "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read"|http://xorl.wordpress.com/2009/06/26/cve-2009-1888-samba-acls-uninitialized-memory-read/]

...

EXP32-C. Do not access a volatile object through a non-volatile reference      03. Expressions (EXP)