SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 130

changes.mady.by.user Jill Britton

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Noncompliant Code Example (NULL)

Because the The C Standard allows Standard allows NULL to be either an integer constant or a pointer constant, any architecture in which int is not the same size as a pointer might present a particular vulnerability with variadic functions. If NULL is defined as an int on such a platform, then . While passing NULL as an argument to a function with a fixed number of arguments will cause NULL to be cast to the appropriate pointer type, when it is passed as a variadic argument, this will not happen if sizeof(NULL) != sizeof(void *), so variadic functions that accept an argument of pointer type will not correctly promote NULL to the correct size. ConsequentlyThis is possible for several reasons:

  • Pointers and ints may have different sizes on a platform where NULL is an integer constant
  • The platform may have different pointer types with different sizes on a platform. In that case, if NULL is a void pointer, it is the same size as a pointer to char (C11 section 6.2.5, paragraph 28), which might be sized differently than the required pointer type.

On either such platform, the following code will have have undefined behavior:

Code Block
bgColor#ffcccc
langc
char* string = NULL;
printf("%s %d\n", string, 1);

...

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-DCL11
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.STRUCT.ELLIPSIS


Ellipsis

Compass/ROSE



Does not currently detect violations of this recommendation. Although the recommendation in general cannot be automated, because of the difficulty in enforcing contracts between a variadic function and its invokers, it would be fairly easy to enforce type correctness on arguments to the printf() family of functions

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.DCL11

Partially implemented

GCC
Include Page
GCC_V
GCC_V


Warns about inconsistently typed arguments to formatted output functions when the -Wall is used

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0179, C0184, C0185, C0186, C0190, C0191, C0192, C0193, C0194, C0195, C0196, C0197, C0198, C0199, C0200, C0201, C0206, C0207, C0208


Klocwork
Include Page
Klocwork_V
Klocwork_V
MISRA.FUNC.VARARG
SV.FMT_STR.PRINT_FORMAT_MISMATCH.BAD
SV.FMT_STR.PRINT_FORMAT_MISMATCH.UNDESIRED
SV.FMT_STR.SCAN_FORMAT_MISMATCH.BAD
SV.FMT_STR.SCAN_FORMAT_MISMATCH.UNDESIRED
SV.FMT_STR.PRINT_IMPROP_LENGTH
SV.FMT_STR.PRINT_PARAMS_WRONGNUM.FEW
SV.FMT_STR.PRINT_PARAMS_WRONGNUM.MANY
SV.FMT_STR.UNKWN_FORMAT.SCAN
LDRA tool suite
Include Page
LDRA_V
LDRA_V

41 S, 589 S

Partially implemented

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-DCL11-a
CERT_C-DCL11-b
CERT_C-DCL11-c
CERT_C-DCL11-d
CERT_C-DCL11-e
CERT_C-DCL11-f


There should be no mismatch between the '%s' or and '%c' tag from format specifiers in the format string and its their corresponding argument in 'printf' function invocationarguments in the invocation of a string formatting function
There should be no mismatch between the '%f' tag from format specifier in the format string and its corresponding argument in 'printf' function invocationthe invocation of a string formatting function
There should be no mismatch between the '%i' or and '%d' tag from format specifiers in the string and its their corresponding argument in 'printf' function invocationarguments in the invocation of a string formatting function
There should be no mismatch between the '%u' tag from format specifier in the format string and its corresponding argument in 'printf' function invocationthe invocation of a string formatting function
There should be no mismatch between the '%p' tag from format specifier in the format string and its corresponding argument in 'printf' function invocation
There should be no difference between the number of tags from the invocation of a string formatting function
The number of format specifiers in the format string and the number of corresponding argument in 'printf' function invocationarguments in the invocation of a string formatting function should be equal

Parasoft Insure++

Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

175, 559, 2408

Assistance provided: reports issues involving format strings

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

Format string specifiers and arguments mismatch

MISRA CERT C: 2012 Rule 17.1

String specifiers do not match corresponding arguments

The features of <stdarg.h> shall not be used

PRQA QA-C
Include Page
PRQA QA-C_vPRQA QA-C_v

0179 (U), 0184 (U), 0185 (U), 0186 (U), 0190 (U),

0191 (U), 0192 (U), 0193 (U), 0194 (U), 0195 (U),

0196 (U), 0197 (U), 0198 (U), 0199 (U), 0200 (U),

0201 (U), 0206 (U), 0207, 0208

Rec. DCL11-C


Checks for format string specifiers and arguments mismatch (rec. partially covered)

Partially implemented

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V576

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this recommendation on the CERT website.

...