According to the C Standard, 7.4.1 paragraph 1 [ISO/IEC 9899:20112024],
The header
<ctype.h>
declares several functions useful for classifying and mapping characters. In all cases the argument is anint
, the value of which shall be representable as anunsigned char
or shall equal the value of the macroEOF
. If the argument has any other value, the behavior is undefined.
...
Following are the character classification functions that this rule addresses:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
XSI denotes an X/Open System Interfaces Extension to ISO/IEC 9945—POSIX. These functions are not defined by the C Standard.
...
Passing values to character handling functions that cannot be represented as an unsigned char
to character handling functions is undefined behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
STR37-C | Low | Unlikely | Low | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||
---|---|---|---|---|---|---|---|
Astrée |
|
ctype-limits | Partially checked | ||||||||
Axivion Bauhaus Suite |
| CertC-STR37 | Fully implemented | ||||||
CodeSonar |
| MISC.NEGCHAR | Negative character value | ||||||
Compass/ROSE |
Could detect violations of this rule by seeing if the argument to a character handling function (listed above) is not an | |||||||||
| CC2.STR37 | Fully implemented | |||||||
Helix QAC |
| C4413, C4414 C++3051 | |||||||
Klocwork |
| AUTOSAR.STDLIB.CCTYPE.UCHAR MISRA.ETYPE.ASSIGN.2012 | |||||||
LDRA tool suite |
| 663 S | Fully implemented |
Parasoft C/C++test |
|
| CERT_C-STR37-a | Do not pass incorrect values to ctype.h library functions | |||||||
Polyspace Bug Finder |
| Checks for invalid use of standard library integer routine (rule fully covered) | |||||||
RuleChecker |
| ctype-limits | Partially checked | ||||||
TrustInSoft Analyzer |
| valid_char | Partially verified. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C Secure Coding Standard | STR34-C. Cast characters to unsigned char before converting to larger integer sizes | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961 | Passing arguments to character-handling functions that are not representable as unsigned char [chrsgnext] |
Prior to 2018-01-12: CERT: Unspecified Relationship | ||
CWE 2.11 | CWE-704, Incorrect Type Conversion or Cast | 2017-06-14: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-686 and STR37-C
Intersection( CWE-686,
...
STR37-C) = Ø
STR37-C is not about the type of the argument passed (which is signed int), but about the restrictions placed on the value in this type (must be 0-UCHAR_MAX or EOF). I interpret ‘argument type’ to be specific to the C language, so CWE-686 does not apply to incorrect argument values, just incorrect types (which is relatively rare in C, but still possible).
CWE-704 and STR37-C
STR37-C = Subset( STR34-C)
CWE-683 and STR37-C
Intersection( CWE-683, STR37-C) = Ø
STR37-C excludes mis-ordered function arguments (assuming they pass type-checking), because there is no easy way to reliably detect violations of CWE-683.
Bibliography
[ISO/IEC 9899: |
2024] | 7.4.1, "Character Handling <ctype.h >" |
[Kettlewell 2002] | Section 1.1, "<ctype.h > and Characters Types" |
...
...