Page History

...

The following tables list these macros and indicate in which version of the C Standard they were introduced. The following macros are required:

  1) __STDC_VERSION__ was introduced by an Amendment to C90, this version of the C Standard is commonly call C94 

 The following are optional environment macros:

  The following are optional feature macros:

 The following is optional and is defined by the user:

Noncompliant Code Example (Checking Value of Predefined Macro)

...

#include <stdio.h>

int main(void) {
  #if defined(__STDC__)
    #if (__STDC__ == 1)
      printf("Implementation is ISO-conforming.\n");
    #else
      printf("Implementation is not ISO-conforming.\n");
    #endif
  #else   /* !defined(__STDC__) */
    printf("__STDC__ is not defined.\n");
  #endif
  /* ... */
  return 0;
}

Compliant Solution (Test for Optional

...

Feature)

This compliant solution tests to see if the C11 predefined macro __STDC_ANALYZABLE__ is defined and what value the implementation has given the macro:

...

#if defined(__STDC_LIB_EXT1__)
  #if (__STDC_LIB_EXT1__ >= 201112L)
    #define USE_EXT1 1
    #define __STDC_WANT_LIB_EXT1__ 1 /* Want the ext1 functions */
  #endif
#endif
 
#include <string.h>
#include <stdlib.h>
 
int main(void) {
  char source_msg[] = "This is a test.";
  char *msg = malloc(sizeof(source_msg) + 1);
 
  if (msg != NULL) {
    #if defined(USE_EXT1)
      strcpy_s(msg, sizeof msg, source_msg);
    #else
      strcpy(msg, source_msg);
    #endif
  } 
  else {
    return EXIT_FAILURE;
  }
  return 0;
}

Compliant Solution (Optional Language Features)

The previous compliant solution comes close to violating PRE09-C. Do not replace secure functions with deprecated or obsolescent functions, and would if a function-like macro were defined which called either strcpy_s() or strcpy() depending on if USE_EXT1 were defined.  This compliant solution solves the problem by including a custom library that implements the optional language feature, which in this case is the Safe C Library available from SourceForge.

#if defined(__STDC_LIB_EXT1__)
  #if (__STDC_LIB_EXT1__ >= 201112L)
    #define USE_EXT1 1
    #define __STDC_WANT_LIB_EXT1__ 1 /* Want the ext1 functions */
  #endif
#endif
 
#include <string.h>
#include <stdlib.h>

#if !defined(USE_EXT1)
  #include "safe_str_lib.h"
#endif
  
int main(void) {
  char source_msg[] = "This is a test.";
  char *msg = malloc(sizeof(source_msg) + 1);
 
  if (msg != NULL) {
    strcpy_s(msg, sizeof msg, source_msg);
  } 
  else {
    return EXIT_FAILURE;
  }
  return 0;
}

Risk Assessment

Not testing for language features or the version of the implementation being used can lead to unexpected or undefined program behavior.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

...

Image Modified Image Modified Image Modified