SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 15

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 16

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This noncompliant code example is from an actual vulnerability (VU#837857) discovered in some versions of the X Window System server. The vulnerability exists because the programmer neglected to provide the open and close parentheses following the geteuid() function identifier. As a result, the geteuid token returns the address of the function, which is never equal to zero. As a result, the or condition of this if statement is always true and access is provided to the protected block for all users. Many compilers issue a warning noting such pointless expressions. Therefore, this coding error is normally detected by adherence to guideline MSC00-C. Compile cleanly at high warning levels.

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC02-C

low

likely

medium

P6

L2

Automated Detection

...

Tool

Version

Checker

Description

Section

Coverity Prevent

Include Page
c:Coverity_V
c:Coverity_V
Section

BAD_COMPARE

Section

can detect the specific instance where the address of a function is compared against 0, such as in the case of geteuid versus getuid() in the Implementation-Specific Details.

The LDRA tool suite Version 7.6.0 can detect violations of this recommendation???

...

Section

LDRA tool suite

Include Page
c:LDRA_V
c:LDRA_V

 

 

Section

GCC

Include Page
c:GCC_V
c:GCC_V

 

Section

can detect violations of this recommendation when the -Wall flag is used.

Section

Klocwork

Include Page
c:Klocwork_V

...

c:Klocwork_V
Section

EFFECT

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

This rule appears in the C++ Secure Coding Standard as : EXP16-CPP. Avoid errors of omission.

Bibliography

Wiki Markup
\[[Hatton 951995|AA. Bibliography#Hatton 95]\] Section 2.7.2, "Errors of omission and addition"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "KOA Likely Incorrect Expressions"
\[[MITRE 072007|AA. Bibliography#MITRE 07]\] [CWE ID 482|http://cwe.mitre.org/data/definitions/482.html], "Comparing instead of Assigning," [CWE ID 480|http://cwe.mitre.org/data/definitions/480.html], "Use of Incorrect Operator"

...