Flexible array members are a special type of array in which the last element of a structure with more than one named member has an incomplete array type; that is, the size of the array is not specified explicitly within the structure. This "struct hack" was widely used in practice and supported by a variety of compilers. Consequently, a variety of different syntaxes have been used for declaring flexible array members. For C-compliant implementations, use the syntax guaranteed valid by the C standard [ISO/IEC 9899:2011].
Flexible array members are defined in Section 6.7.2.1 of the C standard as follows:
...
- The incomplete array type must be the last element within the structure.
- There cannot be an array of structures that contain flexible array members.
- Structures that contain a flexible array member cannot be used as a member in the middle of another structure.
Rule MEM33-C. Allocate and copy structures containing flexible array members dynamically describes how to allocate and copy structures containing flexible array members.
...
The problem with using this approach is that the behavior is undefined when accessing other than the first element of data. (See Section 6.5.6 , para. 82 of the C standard [ISO/IEC 9899:2011].) Consequently, the compiler can generate code that does not return the expected value when accessing the second element of data.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC 9899:2011 Section Section 6.7.2.1, "Structure and union specifiers"
...