SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 63

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 64

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The signature is similar to strcpy() but takes an extra argument of type rsize_t that specifies the maximum length of the destination buffer. ( Functions that accept parameters of type rsize_t diagnose a constraint violation, if the values of those parameters are greater than RSIZE_MAX. Extremely large object sizes are frequently a sign that an object's size was calculated incorrectly. For example, negative numbers appear as very large positive numbers when converted to an unsigned type like size_t. For those reasons, it is sometimes beneficial to restrict the range of object sizes to detect errors. For machines with large address spaces, ISO/IEC TR 24731-1 recommends that RSIZE_MAX be defined as the smaller of the size of the largest object supported or (SIZE_MAX >> 1), even if this limit is smaller than the size of some legitimate, but very large, objects. See also guideline recommendation INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.

...

When a runtime-constraint violation is detected, the destination string is set to the null string (as long as it is not a null pointer, and the maximum length of the destination buffer is greater than zero and not greater than RSIZE_MAX) and the function returns a nonzero value. In the following example, the strcpy_s() function is used to copy src1 to dst1.

...

ISO/IEC TR 24731-1 functions are still capable of overflowing a buffer if the maximum length of the destination buffer and number of characters to copy are incorrectly specified. ISO/IEC TR 24731-2 functions may can make it more difficult to keep track of memory that must be freed, leading to memory leaks. As a result, the ISO/IEC TR 24731 functions are not particularly secure but may be useful in preventive maintenance to reduce the likelihood of vulnerabilities in an existing legacy code base.

...

The following compliant solution performs some of the checking at compile time using a static assertion. (See guideline recommendation DCL03-C. Use a static assertion to test the value of a constant expression.)

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

Related Guidelines

Wiki Markup\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.21, "String handling <string.h>" \[[

ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] TR 24772 "TRJ Use of Libraries" \[[

ISO/IEC TR 24731-1:2007

Bibliography

Wiki Markup
|AA. Bibliography#ISO/IEC TR 24731-1-2007]\]
\[[Seacord 2005a|AA. Bibliography#Seacord 05a]\] Chapter 2, "Strings"
\[[Seacord 2005b|AA. Bibliography#Seacord 05b]\]

...