...
The C Standard identifies four different kinds of nonportable behavior. Each section of Annex J of the C Standard enumerates distinct instances of behaviors of each kind.
Nonportable Behavior | Definition | Annex J Section |
|---|---|---|
Behavior for which the standard provides two or more possibilities and imposes no further requirements on which is chosen in any instance. | J.1 | |
Behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for which the standard imposes no requirements. An example of undefined behavior is the behavior on signed integer overflow. | ||
Unspecified behavior whereby each implementation documents how the choice is made. | J.3 | |
Behavior that depends on local conventions of nationality, culture, and language that each implementation documents. | J.4 |
An example of undefined behavior is passing a null char* pointer as an argument to the printf function corresponding to the %s format specification. Although some implementations (such as the GNU C Library) provide well-defined semantics for this case, others do not, causing programs that rely on this behavior to fail abnormally.
...
This noncompliant code example uses the complement operator in the test for unsigned integer overflow. It assumes both numbers are nonnegative:
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsignedsigned int uisi; unsignedsigned int ui2si2; unsignedsigned int sum; if (~uisi < 0 || si2 < 0) { /* Handle error condition */ } if (~si < ui2si2) { /* Handle error condition */ } sum = uisi + ui2si2; |
This code assumes that the implementation uses two's complement representation. This assumption is commonly true but is not guaranteed by the standard.
...
This compliant solution implements a strictly conforming test for unsigned overflow:
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int uisi; unsigned int ui2si2; unsigned int sum; if (UINTsi < 0 || si2 < 0) { /* Handle error condition */ } if (INT_MAX - uisi < ui2si2) { /* Handle error condition */ } sum = uisi + ui2si2; |
If the noncompliant form of this test is truly faster, talk to your compiler vendor because, if these tests are equivalent, optimization should occur. If both forms have the same performance, prefer the portable form.
...
Unnecessary platform dependencies are, by definition, unnecessary. Avoiding these dependencies can eliminate porting errors resulting from invalidated assumptions.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC14-C | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description |
|---|
| Helix QAC |
|
|
|
0202,284,581,634,1434,0240,0241,0246,0551,0601,
0633,0635,0660,0662,0830,0831,0899,1001,1002,
1003,1006,1008,1012,1014,1015,1019,1020,1021,
1022,1026,1028,1029,1034,1035,1036,1037,1038,
1041,1042,1043,1044,1045,1046,3664
C0202, C0240, C0241, C0242, C0243, C0246, C0284, C0551, C0581, C0601, C0633, C0634, C0635, C0660, C0662, C0830, C0831, C0840, C0899, C1001, C1002, C1003, C1006, C1008, C1012, C1014, C1015, C1019, C1020, C1021, C1022, C1026, C1028, C1029, C1034, C1035, C1036, C1037, C1038, C1041, C1042, C1043, C1044, C1045, C1046, C1434, C3664 | |||||||||
| LDRA tool suite |
| 17 D, 69 S, 42 S | Partially implemented | ||||||
| Parasoft C/C++test |
| CERT_C-MSC14-a | Evaluation of constant unsigned integer expressions should not lead to wrap-around |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | VOID MSC14-CPP. Do not introduce unnecessary platform dependencies |
| ISO/IEC TR 24772 | Unspecified Behaviour [BQF] |
Bibliography
| [Dowd 2006] | Chapter 6, "C Language Issues" ("Arithmetic Boundary Conditions," pp. 211–223) |
| [Seacord 2013] | Chapter 5, "Integer Security" |
...