SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 34

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version Current

changes.mady.by.user Anirban Gangopadhyay

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Abstract data types are not restricted to object-oriented languages like such as C++ and Java and . They should be created and used in C language programs as well. Abstract data types are most effective when used with private (opaque) data types and information hiding.

Noncompliant Code Example

...

This noncompliant code example is based on the managed string library developed by CERT \ [[Burch 06|AA. References#Seacord 06]\]. In this example, the managed string type, and functions that operate on this type, are defined in the {{Burch 2006]. In this example, the managed string type and the functions that operate on this type are defined in the string_m.h}} header file as follows:

Code Block
bgColor#FFCCCC
langc

struct string_mx {
    size_t size;
    size_t maxsize;
    unsigned char strtype;
    char *cstr;
};

typedef struct string_mx *string_mmx;

/* Function declarations */
extern errno_t strcpy_m(string_mmx *s1, const string_mmx *s2);
extern errno_t strcat_m(string_mmx *s1, const string_mmx *s2) ;
/* etc... */

The implementation of the string_mmx type is fully visible to the user of the data type after including the string_m.h file. Programmers are consequently more likely to directly manipulate the fields within the structure, violating the software engineering principles of information hiding and data encapsulation and increasing the probability of developing incorrect or nonportable code.

...

This compliant solution reimplements the string_mmx type as a private type, hiding the implementation of the data type from the user of the managed string library. To accomplish this, the developer of the private data type creates two header files: an external "string_m.h" header file that is included by the user of the data type and an internal file that is included only in files that implement the managed string abstract data type.

In the external string_m.h file, the string_mmx type is declared as a pointer to a defined to be an instance of struct string_mx, which in turn is declared as an incomplete type.:

Code Block
bgColor#ccccff
langc

struct string_mx;
typedef struct string_mx string_mx;

/* Function declarations */
extern errno_t strcpy_m(string_mx *s1, const string_mx *s2);
extern errno_t strcat_m(string_mx *s1, const string_mx *s2);
/* ... */

In the internal header file, struct string_mx is fully defined but not visible to a user of the data abstraction.:

Code Block
bgColor#ccccff
langc

struct string_mx {
    size_t size;
    size_t maxsize;
    unsigned char strtype;
    char *cstr;
};

/* Function declarations */
extern errno_t strcpy_m(string_m s1, const string_m s2);
extern errno_t strcat_m(string_m s1, const string_m s2) ;
/* etc. */

Modules that implement the abstract data type include both the external and internal definitions, while  whereas users of the data abstraction include only the external string_m.h file. This allows the implementation of the string_mmx data type to remain private.

...

The use of opaque abstract data types, while  though not essential to secure programming, can significantly reduce the number of defects and vulnerabilities introduced in code, particularly during ongoing maintenance.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

DCL12-C

low

Low

unlikely

Unlikely

high

High

P1

L3

Automated Detection

...

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-DCL12
LDRA tool suite

...

Include Page
LDRA_V
LDRA_V

104 D

Partially implemented

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. DCL12-CChecks for structure or union object implementation visible in file where pointer to this object is not dereferenced (rule partially covered)


Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-DCL12-aIf a pointer to a structure or union is never dereferenced within a translation unit, then the implementation of the object should be hidden

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Burch 06|AA. References#Seacord 06]\]
\[[ISO/IEC 9899:1999|AA. References#ISO/IEC 9899-1999]\] Section 6.2.5, "Types"

Related Guidelines

MISRA C:2012

Directive 4.8 (advisory)

Bibliography

[Burch 2006]


...

Image Added Image Added Image Removed      02. Declarations and Initialization (DCL)      Image Modified