SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 33

changes.mady.by.user Alex Volkovitsky

Saved on

compared with

New Version 34

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider v2.4 (sch jbop) (X_X)@==(Q_Q)@

...

If suitable source code-checking tools are available, use them regularly.

Exceptions

Wiki Markup
*MSC00-EX1:* Compilers can produce diagnostic messages for correct code. This is permitted by C99 \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\], which allows a compiler to produce a diagnostic for any reason.  It is usually preferable to rewrite code to eliminate compiler warnings, but if the code is correct it is sufficient to provide a comment explaining why the warning message does not apply.  Some compilers provide ways to suppress warnings, such as suitably formatted comments or pragmas, which can be used sparingly when the programmer understands the implications of the warning but has good reason to use the flagged construct anyway.

Do not simply quiet warnings by adding type casts or other means. Instead, understand the reason for the warning and consider a better approach, such as using matching types and avoiding type casts whenever possible.

Risk Assessment

Eliminating violations of syntax rules and other constraints can eliminate serious software vulnerabilities that can lead to the execution of arbitrary code with the permissions of the vulnerable process.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC00-A C

medium

probable

medium

P8

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 5.1.1.3, "Diagnostics"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 563|http://cwe.mitre.orgdata/definitions/563.html], "Unused Variable"; [CWE ID 570|http://cwe.mitre.org/data/definitions/570.html], "Expression is Always False"; [CWE ID 571|http://cwe.mitre.org/data/definitions/571.html], "Expression is Always True"
\[[Sutter 05|AA. C References#Sutter 05]\] Item 1
\[[Seacord 05a|AA. C References#Seacord 05]\] Chapter 8, "Recommended Practices"

...

13. Miscellaneous (MSC)      13. Miscellaneous (MSC)       MSC01-A. Strive for logical completeness Image Added