SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 20

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The type , precision, and range of clock_t are implementation defined. time_t is specified as an "arithmetic type capable of representing times." as size_t, which is the unsigned result of the sizeof operator. However, how time is encoded within the arithmetic type is unspecified.

Non-Compliant Code Example

However, the way time is encoded within this arithmetic type by the function time() is unspecified. See unspecified behavior 48 in Annex J of the C Standard. Because the encoding is unspecified, there is no safe way to manually perform arithmetic on the type, and as a result, the values should not be modified directly.

Note that POSIX specifies that the time() function must return a value of type time_t, representing time in seconds since the Epoch. POSIX-conforming applications that are not intended to be portable to other environments therefore may safely perform arithmetic operations on time_t objects.

Noncompliant Code Example

This noncompliant code example This code attempts to execute do_some_work() multiple times until at least seconds_to_work has passed. However, because the encoding is not defined, there is no guarantee that adding start to seconds_to_work will result in adding seconds_to_work seconds.

Code Block
bgColor#FFCCCC
langc

int do_work(int seconds_to_work) {
  time_t start;
  start = time(NULL);

  if (start == (time_t)(-1)) {
    /* Handle error */
  }
  while (time(NULL) < start + secondseconds_to_work) {
    /*  do_some_work();... */
  }
  return 0;
}

Compliant Solution

This compliant solution uses difftime() to determine the difference between two time_t values. The difftime() function returns the number of seconds, from the second parameter until the first parameter and returns the result, as a double.

Code Block
bgColor#ccccff
langc

int do_work(int seconds_to_work) {
  time_t start, current = time(NULL);
  starttime_t current = time()start;

  if (start == (time_t)(-1)) {
    /* Handle error */
  }
  while (timedifftime(current, start) < start + secondseconds_to_work) {
    current = time(NULL);
    if (current == (time_t)(-1)) {
       /* Handle error */
    }
    if (difftime(current, start) >= seconds_to_work)
      break;/* ... */
  }
    do_some_work();
  }return 0;
}

Note that this loop may still might not exit , as because the range of time_t may might not be able to represent two times seconds_to_work apart.

Risk Assessment

Using time_t incorrectly can lead to broken logic that could can place a program in an infinite loop or cause an expected logic branch to not actually execute.

Rule Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC05-A

1 (low)

1 (low)

2 (medium)

P2

L3

References

...

C

Low

Unlikely

Medium

P2

L3

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

 

 

Can detect violations of this recommendation

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.MSC05

Fully implemented

LDRA tool suite
Include Page
LDRA_V
LDRA_V
96 S, 101 S, 107 S, 433 S, 458 SPartially Implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

AA. C References#Kettlewell 02]] Section 4.1, "time_t"

Related Guidelines

SEI CERT C++ Coding StandardVOID MSC05-CPP. Do not manipulate time_t typed values directly

Bibliography

[Kettlewell 2002]Section 4.1, "time_t"

 

...

Image Added Image Added Image Added Wiki Markup\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]] Section 7.23, "Date and time <time.h>"