Abstract data types are not restricted to object-oriented languages like such as C++ and Java and . They should be created and used in C language programs as well. Abstract data types are most effective when used with private (opaque) data types and information hiding.
...
This noncompliant code example is based on the managed string library developed by CERT [Burch 2006]. In this example, the managed string type , and the functions that operate on this type , are defined in the string_m.h
header file as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
struct string_mx { size_t size; size_t maxsize; unsigned char strtype; char *cstr; }; typedef struct string_mx string_mx; /* Function declarations */ extern errno_t strcpy_m(string_mx *s1, const string_mx *s2); extern errno_t strcat_m(string_mx *s1, const string_mx *s2); /* etc... */ |
The implementation of the string_mx
type is fully visible to the user of the data type after including the string_m.h
file. Programmers are consequently more likely to directly manipulate the fields within the structure, violating the software engineering principles of information hiding and data encapsulation and increasing the probability of developing incorrect or nonportable code.
...
In the external string_m.h
file, the string_mx
type is defined to be an instance of struct string_mx
, which in turn is declared as an incomplete type.:
Code Block | ||||
---|---|---|---|---|
| ||||
struct string_mx; typedef struct string_mx string_mx; /* Function declarations */ extern errno_t strcpy_m(string_mx *s1, const string_mx *s2); extern errno_t strcat_m(string_mx *s1, const string_mx *s2) ; /* etc... */ |
In the internal header file, struct string_mx
is fully defined but not visible to a user of the data abstraction.:
Code Block | ||||
---|---|---|---|---|
| ||||
struct string_mx { size_t size; size_t maxsize; unsigned char strtype; char *cstr; }; |
Modules that implement the abstract data type include both the external and internal definitions, whereas users of the data abstraction include only the external string_m.h
file. This allows the implementation of the string_mx
data type to remain private.
...
The use of opaque abstract data types, though not essential to secure programming, can significantly reduce the number of defects and vulnerabilities introduced in code, particularly during ongoing maintenance.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DCL12-C |
Low |
Unlikely |
High | P1 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Axivion Bauhaus Suite |
| CertC-DCL12 | |||||||
LDRA tool suite |
|
104 D |
Partially implemented | |||||||||
Polyspace Bug Finder |
| CERT C: Rec. DCL12-C | Checks for structure or union object implementation visible in file where pointer to this object is not dereferenced (rule partially covered) | ||||||
Parasoft C/C++test |
| CERT_C-DCL12-a | If a pointer to a structure or union is never dereferenced within a translation unit, then the implementation of the object should be hidden |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
MISRA C:2012 | Directive 4.8 (advisory) |
Bibliography
...