SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 149

changes.mady.by.user Jill Britton

Saved on

compared with

New Version 150

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: extended to arguments passed to library functions and added SonarCube

...

  • Integer operands of any pointer arithmetic, including array indexing;
  • The assignment expression for the declaration of a variable length array;
  • The postfix expression preceding square brackets [] or the expression in square brackets [] of a subscripted designation of an element of an array object; and
  • Function arguments of type size_t or rsize_t (for example, an argument to a memory allocation function).

This rule also applied to arguments passed to library functions such as memset(), memchr(), strchr() that are truncated by the function.

The only integer type conversions that are guaranteed to be safe for all data values and all possible conforming implementations are conversions of an integral value to a wider type of the same signedness. The C Standard, 6.3.1.3 [ISO/IEC 9899:2011], says,

...

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.SIZE.TRUNC

LANG.CAST.COERCE

LANG.CAST.VALUE

MISC.MEM.SIZE.TRUNC

Truncation of Allocation Size

Coercion Alters Value

Cast Alters Value

Truncation of Size

Compass/ROSE

  

Can detect violations of this rule. However, false warnings may be raised if limits.h is included

Coverity*

Include Page
Coverity_V
Coverity_V

NEGATIVE_RETURNS


REVERSE_NEGATIVE


MISRA_CAST

Can find array accesses, loop bounds, and other expressions that may contain dangerous implied integer conversions that would result in unexpected behavior

Can find instances where a negativity check occurs after the negative value has been used for something else

Can find instances where an integer expression is implicitly converted to a narrower integer type, where the signedness of an integer value is implicitly converted, or where the type of a complex expression is implicitly converted

Fortify SCA

5.0

 

Can detect violations of this rule with CERT C Rule Pack

Klocwork

Include Page
Klocwork_V
Klocwork_V

PRECISION.LOSS

 

LDRA tool suite

Include Page
LDRA_V
LDRA_V

93 S
433 S
434 S

Fully implemented
PRQA QA-C
Include Page
PRQA QA-C_v
PRQA QA-C_v

2850,2851,2852,2853,2900,2901,2902,2903,

2905,2906,2907,2908, 2855, 2856, 2857, 2858,

2890, 2891, 2892, 2893, 2895, 2896, 2897, 2898

Partially implemented
SonarQube 
Include Page
PRQA SonarQube_v
PRQA SonarQube_v
 c-cppcheck:memsetValueOutOfRange The 2nd argument to memset() cannot be represented as unsigned char.

* Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

...

[Dowd 2006]Chapter 6, "C Language Issues" ("Type Conversions," pp. 223–270)
[ISO/IEC 9899:2011]6.3.1.3, "Signed and Unsigned Integers"
[Jones 2008]Section 6.2.6.2, "Integer Types"
[Seacord 2013b]Chapter 5, "Integer Security"
[Viega 2005]Section 5.2.9, "Truncation Error"
Section 5.2.10, "Sign Extension Error"
Section 5.2.11, "Signed to Unsigned Conversion Error"
Section 5.2.12, "Unsigned to Signed Conversion Error"
[Warren 2002]Chapter 2, "Basics"
[xorl 2009]"CVE-2009-1376: Pidgin MSN SLP Integer Truncation"

 

...