SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 60

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 61

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider $version (sch jbop) (X_X)@==(Q_Q)@

...

Padding is also referred to as "struct member alignment." Many compilers provide a flag that controls how the members of a structure are packed into memory. Modifying this flag may cause the size of the structures to vary. Most compilers also include a keyword that removes all padding; the resulting structures are referred to as packed structures. Overriding the default behavior is often unwise because it leads to interface compatibility problems (the nominally same struct has its layout interpreted differently in different modules).

...

Noncompliant Code Example

Wiki Markup
This non-compliantnoncompliant code example assumes that the size of {{struct buffer}} is equal to the size of its individual components, which may not be the case  \[[Dowd 06|AA. C References#Dowd 06]\]. The size of {{struct buffer}} may actually be larger due to structure padding.

Code Block
bgColor#FFcccc
struct buffer {
  size_t size;
  char bufferC[50];
};

/* ... */

void func(const struct buffer *buf) {

  /* Assumes sizeof( struct buffer) =
   * sizeof( size_t) + 50 * sizeof( char) = 54 */
  struct buffer *buf_cpy = (struct buffer *)malloc(54);

  if (buf_cpy == NULL) {
    /* Handle malloc() error */
  }

  /*
   * With padding, sizeof(struct buffer) may be greater than
   * 54, causing some data to be written outside the bounds 
   * of the memory allocated.
   */
  memcpy(buf_cpy, buf, sizeof(struct buffer));

  /* ... */

  free(buf_cpy);
}

Compliant Solution

Accounting for structure padding prevents these types of errors.

Code Block
bgColor#ccccff
enum {buffer_size = 50};

struct buffer {
  size_t size;
  char bufferC[buffer_size];
};

/* ... */

void func(const struct buffer *buf) {

  struct buffer *buf_cpy = 
    (struct buffer *)malloc(sizeof(struct buffer));

  if (buf_cpy == NULL) {
    /* Handle malloc() error */
  }

  /* ... */

  memcpy(buf_cpy, buf, sizeof(struct buffer));

  /* ... */

  free(buf_cpy);
}

Risk Assessment

Failure to correctly determine the size of a structure can lead to subtle logic errors and incorrect calculations.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

EXP03-A C

medium

unlikely

high

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 6, "C Language Issues" (Structure Padding 284-287)
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.7.2.1, "Structure and union specifiers"
\[[Sloss 04|AA. C References#Sloss 04]\] Section 5.7, "Structure Arrangement"

...

      03. Expressions (EXP)       EXP04-AC. Do not perform byte-by-byte comparisons between structures