SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 123

changes.mady.by.user Paul Ruggiero

Saved on

compared with

New Version 124

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Dynamic memory managers are not required to clear freed memory and generally do not because of the additional runtime overhead. Furthermore, dynamic memory managers are free to reallocate this same memory. As a result, it is possible to accidentally leak sensitive information if it is not cleared before calling a function that frees dynamic memory. Programmers also cannot rely on memory being cleared during allocation. (See guideline recommendation MEM09-C. Do not assume memory allocation routines initialize memory.)

...

The calloc() function ensures that the newly allocated memory has also been cleared. Because sizeof(char) is guaranteed to be 1, this solution does not need to check for a numeric overflow as a result of using calloc(). (See guideline recommendation MEM07-C. Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t.)

See guideline recommendation MSC06-C. Be aware of compiler optimization when dealing with sensitive data for a definition and discussion of using the memset_s() function.

...

The secret_size is tested to ensure that the integer multiplication (secret_size * 2) does not result in an integer overflow. (See guideline rule INT32-C. Ensure that operations on signed integers do not result in overflow.)

...

The calloc() function ensures that the newly allocated memory has also been cleared. Because sizeof(char) is guaranteed to be 1, this solution does not need to check for a numeric overflow as a result of using calloc(). (See guideline recommendation MEM07-C. Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t.)

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard: MEM03-CPP. Clear sensitive information stored in returned reusable resources

Bibliography

MITRE CWE: CWE-226, "Sensitive Information Uncleared Before Release"

MITRE CWE: CWE-244: Failure to Clear Heap Memory Before Release ('Heap Inspection')

ISO/IEC 9899:1999 Section 7.20.3, "Memory management functions"

ISO/IEC TR 24772 "XZK Sensitive Information Uncleared Before Use"

Bibliography

Wiki Markup
\[[Black 2007|AA. Bibliography#Black 07
Wiki Markup
\[[Black 2007|AA. Bibliography#Black 07]\]
\[[CWE|AA. Bibliography#CWE]\] [CWE-226|http://cwe.mitre.org/data/definitions/226.html]: Sensitive Information Uncleared Before Release
\[CWE\] [CWE-244|http://cwe.mitre.org/data/definitions/244.html]: Failure to Clear Heap Memory Before Release ('Heap Inspection')
\[[Fortify 2006|AA. Bibliography#Fortify 06]\]
\[[Graff 2003|AA. Bibliography#Graf 03]\]
\[[ISO/IEC 9899:1999Fortify 2006|AA. Bibliography#ISO/IEC 9899-1999Bibliography#Fortify 06]\] Section 7.20.3, "Memory management functions"
\[[ISO/IEC PDTR 24772Graff 2003|AA. Bibliography#ISO/IEC PDTR 24772Bibliography#Graf 03]\] "XZK Sensitive Information Uncleared Before Use"

...

      08. Memory Management (MEM)      MEM04-C. Do not perform zero length allocations