SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If a header file with the same name as one of the a standard headers header is placed in the typical search path to search for libraries then for included source files, the behavior is undefined.

Non-Compliant Example

Naming a header file in the standard library search path any of the following could cause problemsThe following table from the C Standard, subclause 7.1.2 [ISO/IEC 9899:2011], lists these standard headers:

<assert.h>

...

<float.h><math.h>

...

<stdatomic.h>

...

<stdlib.h>

...

<time.h>

...

<complex.h><inttypes.h>

...

<setjmp.h><stdbool.h>

...

<stdnoreturn.h>

...

<uchar.h>

...

<ctype.h>

...

<iso646.h><signal.h>

...

<stddef.h><string.h><wchar.h>
<errno.h>

...

<limits.h>

...

<stdalign.h><stdint.h>

...

<tgmath.h><wctype.h>

...

<fenv.h>

...

<locale.h>

...

<stdarg.h>

...

<stdio.h>

...

<threads.h>

...


Do not reuse standard header file names, system-specific header file names, or other header file names.

Noncompliant Code Example

In this noncompliant code example, the programmer chooses to use a local version of the standard library but does not make the change clear:

Code Block
bgColor#FFcccc
langc
#include "stdio.h"  /* Confusing, distinct from <stdio.h> */

/* ... */

Compliant Solution

The solution addresses the problem by giving the local library a unique name (per PRE08-C. Guarantee that header file names are unique), which makes it apparent that the library used is not the original:

Code Block
bgColor#ccccFF
langc
/* Using a local version of stdio.h */ 
#include "mystdio.h"

/* ... */

Risk Assessment

Using header file names that conflict with other header file names can result in an incorrect file being included.

Recommendation

Risk Assessment

It is possible that an attacker could place a duplicate header file in the library path in order to cause exploit behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

   

2 (medium)

1 (unlikely)

3 (low)

P2

L2

References

PRE04-C

Low

Unlikely

Medium

P2

L3

Automated Detection

ToolVersionCheckerDescription
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-PRE04

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.PRE04

Fully implemented

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5001
LDRA tool suite
Include Page
LDRA_V
LDRA_V

568 S

Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID PRE04-CPP. Do not reuse a standard header file name
CERT Oracle Secure Coding Standard for JavaDCL01-J. Do not reuse public identifiers from the Java Standard Library

Bibliography

[ISO/IEC 9899:2011]Subclause 7.1.2, "Standard Headers"


...

Image Added Image Added Image Added Wiki Markup\[ISO/IEC 9899\] 7.1.2 Standard Headers