According to Section the C Standard, 7.4 of C99 .1 paragraph 1 [ISO/IEC 9899:2024],
The header
<ctype.h>
declares several functions useful for classifying and mapping characters. In all cases the argument is anint
, the value of which shall be representable as anunsigned char
or shall equal the value of the macroEOF
. If the argument has any other value, the behavior is undefined.
(See also undefined behavior 107 of Appendix J113.)
Compliance with this This rule is complicated by the fact that applicable only to code that runs on platforms where the char
data type might, in any implementation, be signed or unsigned.is defined to have the same range, representation, and behavior as signed char
.
Following are the character classification functions that this rule addressesThe following character classification functions are affected:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
...
Note: XSI denotes an X/Open System Interfaces Extension to \[ ISO/IEC 9945\] -- POSIX ^®^. The functions are not defined by C99.9945—POSIX. These functions are not defined by the C Standard.
This rule is a specific instance of A generalization of this rule is guideline STR34-C. Cast characters to unsigned types char before converting to larger integer sizes.
Noncompliant Code Example
This noncompliant code example may pass invalid values to the isspace()
function.On implementations where plain char
is signed, this code example is noncompliant because the parameter to isspace()
, *t
, is defined as a const char *
, and this value might not be representable as an unsigned char
:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <ctype.h> #include <string.h> size_t count_preceding_whitespace(const char *s) { const char *t = s; /* possibly *t < 0 */size_t length = strlen(s) + 1; while (isspace(*t) && isspace(*tt - s < length)) { ++t; } return t - s; } |
The argument to isspace()
must be EOF
or representable as an unsigned char
; otherwise, the result is undefined.
...
This compliant solution casts the character to unsigned char
before passing it as an argument to the isspace()
function.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <ctype.h> #include <string.h> size_t count_preceding_whitespace(const char *s) { const char *t = s; size_t length = strlen(s) + 1; while (*t && isspace((unsigned char)*t) && (t - s < length)) { ++t; } return t - s; } |
Risk Assessment
Passing values to character handling functions that cannot be represented as an unsigned char
results in undefined program to character handling functions is undefined behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
STR37-C |
Low |
Unlikely |
Low | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description |
---|
Astrée |
| ctype-limits | Partially checked | ||||||
Axivion Bauhaus Suite |
| CertC-STR37 | Fully implemented | ||||||
CodeSonar |
| MISC.NEGCHAR | Negative character value | ||||||
Compass/ROSE |
Could detect violations of this rule by seeing if the argument to a character |
handling function (listed above) is not an | |||||||||
| CC2.STR37 | Fully implemented | |||||||
Helix QAC |
| C4413, C4414 C++3051 | |||||||
Klocwork |
| AUTOSAR.STDLIB.CCTYPE.UCHAR MISRA.ETYPE.ASSIGN.2012 | |||||||
LDRA tool suite |
| 663 S | Fully implemented | ||||||
Parasoft C/C++test |
| CERT_C-STR37-a | Do not pass incorrect values to ctype.h library functions | ||||||
Polyspace Bug Finder |
| Checks for invalid use of standard library integer routine (rule fully covered) | |||||||
RuleChecker |
| ctype-limits | Partially checked | ||||||
TrustInSoft Analyzer |
| valid_char | Partially verified. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)C++
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C Secure Coding Standard |
...
...
C. Cast characters to unsigned char before converting to larger integer sizes | Prior to 2018-01-12: CERT: Unspecified Relationship | |
ISO/IEC TS 17961 | Passing arguments to character-handling functions that are not representable as unsigned char [chrsgnext] | Prior to 2018-01-12: CERT: Unspecified Relationship |
CWE 2.11 | CWE-704, Incorrect Type Conversion or Cast | 2017-06-14: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-686 and STR37-C
Intersection( CWE-686, STR37-C) = Ø
STR37-C is not about the type of the argument passed (which is signed int), but about the restrictions placed on the value in this type (must be 0-UCHAR_MAX or EOF). I interpret ‘argument type’ to be specific to the C language, so CWE-686 does not apply to incorrect argument values, just incorrect types (which is relatively rare in C, but still possible).
CWE-704 and STR37-C
STR37-C = Subset( STR34-C)
CWE-683 and STR37-C
Intersection( CWE-683, STR37-C) = Ø
STR37-C excludes mis-ordered function arguments (assuming they pass type-checking), because there is no easy way to reliably detect violations of CWE-683.
Bibliography
[ISO/IEC 9899:2024] | 7.4.1, "Character Handling <ctype.h >" |
[Kettlewell 2002] | Section 1.1, "<ctype.h > and Characters Types" |
...
...
Bibliography
Wiki Markup |
---|
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.4, "Character handling <{{ctype.h}}>"
\[[Kettlewell 2002|AA. Bibliography#Kettle 02]\] Section 1.1, "<{{ctype.h}}> And Characters Types"
\[[MITRE 2007|AA. Bibliography#MITRE 07]\] [CWE ID 704|http://cwe.mitre.org/data/definitions/704.html], "Incorrect Type Conversion or Cast," [CWE ID 686|http://cwe.mitre.org/data/definitions/686.html], "Function Call With Incorrect Argument Type" |
STR36-C. Do not specify the bound of a character array initialized with a string literal 07. Characters and Strings (STR) STR38-C. Do not use wide-char functions on narrow-char strings and vice versa