SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 68

changes.mady.by.user Alex Volkovitsky

Saved on

compared with

New Version 69

changes.mady.by.user Alex Volkovitsky

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#CCCCFF
int buf[INTBUFSIZE];
int *buf_ptr = buf;

while (havedata() && buf_ptr < &buf[INTBUFSIZE] {
  *buf_ptr++ = parseint(getdata());
}

Wiki Markup
This works because C99 endorses existing practice by guaranteeing that it's permissible to use the address of {{buf\[INTBUFSIZE\]}} even though no such element exists.

Non-Compliant Code Example

...

Code Block
bgColor#FFCCCC
struct big {
    unsigned long long ull_1; /* typically 8 bytes */
    unsigned long long ull_2; /* typically 8 bytes */
    unsigned long long ull_3; /* typically 8 bytes */
    int si_4; /* typically 4 bytes */
    int si_5; /* typically 4 bytes */
};
/* ... */
size_t skip = offsetof(struct big, ull_2);
struct big *s = (struct big *)malloc(sizeof(struct big));
if (!s) {
   /* Handle malloc() error */
}

memset(s + skip, 0, sizeof(struct big) - skip);
/* ... */
free(s);
s = NULL; 

Wiki Markup
A similar situation occurred in OpenBSD's {{make}} command \[[Murenin  07|AA. C References#Murenin 07]\].

...

Code Block
bgColor#CCCCFF
struct big {
    unsigned long long ull_1; /* typically 8 bytes */
    unsigned long long ull_2; /* typically 8 bytes */
    unsigned long long ull_3; /* typically 8 bytes */
    int si_4; /* typically 4 bytes */
    int si_5; /* typically 4 bytes */
};
/* ... */
size_t skip = offsetof(struct big, ull_2);
struct big *s = (struct big *)malloc(sizeof(struct big));
if (!s) {
   /* Handle malloc() error */
}

memset((char *)s + skip, 0, sizeof(struct big) - skip);
/* ... */
free(s);
s = NULL; 

Risk Assessment

Failure to understand and properly use pointer arithmetic can allow an attacker to execute arbitrary code.

...