...
| Code Block | ||||
|---|---|---|---|---|
| ||||
struct obj {
int i;
float f;
};
typedef struct obj *ObjectPtr;
void func(const ObjectPtr o) {
/* Can actually modify o's contents, against expectations. */
} |
Compliant Solution
This compliant solution makes use of type definitions but does not declare a pointer type and so cannot be used in a const-incorrect manner:
| Code Block | ||||
|---|---|---|---|---|
| ||||
struct obj {
int i;
float f;
};
typedef struct obj Object;
void func(const Object *o) {
/* Cannot modify o's contents. */
} |
Noncompliant Code Example (Windows)
The Win32 SDK headers make use of type definitions for most of the types involved in Win32 APIs, but the following this noncompliant solution code example demonstrates a const-correctness bug:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <Windows.h>
/* typedef char *LPSTR; */
void func(const LPSTR str) {
/* Can mutate str's contents, against expectations. */
} |
Compliant Solution (Windows)
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <Windows.h>
/* typedef const char *LPCSTR; */
void func(LPCSTR str) {
/* Cannot modify str's contents. */
} |
Noncompliant Code Example (Windows)
Note that many structures in the Win32 API are declared with pointer type definitions but not pointer-to-const type type definitions (LPPOINT, LPSIZE, and others). In these cases, it is suggested that you create your own type definition from the base structure type.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <Windows.h>
/*
typedef struct tagPOINT {
long x, y;
} POINT, *LPPOINT;
*/
void func(const LPPOINT pt) {
/* Can modify pt's contents, against expectations. */
} |
Compliant
...
Solution (Windows)
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <Windows.h>
/*
typedef struct tagPOINT {
long x, y;
} POINT, *LPPOINT;
*/
typedef const POINT *LPCPOINT;
void func(LPCPOINT pt) {
/* Cannot modify pt's contents. */
} |
...
Function pointer types are an exception to this recommendation.
Noncompliant Code Example
The following In this noncompliant code example, the declaration of the signal() function is difficult to read and comprehend:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
typedef void SighandlerType(int signum); extern SighandlerType *signal( int signum, SighandlerType *handler ); |
Exceptions
Function pointer types are an exception to this recommendation.
Risk Assessment
Code readability is important for discovering and eliminating vulnerabilities.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DCL05-C |
Low |
Unlikely |
Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| pointer-typedef | Fully checked | ||||||
| Axivion Bauhaus Suite |
| CertC-DCL05 | |||||||
| CodeSonar |
| LANG.STRUCT.PIT | Pointer type inside typedef | ||||||
| Compass/ROSE |
| Helix QAC |
| C5004 |
| LDRA tool suite |
| 299 S |
Partially implemented | |||||||||
| Parasoft C/C++test |
| CERT_C-DCL05-a | Declare a type of parameter as typedef to pointer to const if the pointer is not used to modify the addressed object | ||||||
| RuleChecker |
| pointer-typedef | Fully checked |
Fully implemented
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| CERT C |
| Secure Coding Standard |
| DCL12-C. Implement abstract data types using opaque types |
...
...