Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated UB references from C11->C23

According to C11the C Standard, Section 7.4.1 paragraph 1 [ISO/IEC 9899:20112024],

The header <ctype.h> declares several functions useful for classifying and mapping characters. In all cases the argument is an int, the value of which shall be representable as an unsigned char or shall equal the value of the macro EOF. If the argument has any other value, the behavior is undefined.

(See also undefined behavior 113  of Appendix J112.)

Compliance with this This rule is complicated by the fact that applicable only to code that runs on platforms where the char data type can, in any implementation, be signed or unsigned.is defined to have the same range, representation, and behavior as signed char.

Following are the character classification functions that this rule addressesThe following character classification functions are affected:

isalnum()

isalpha()

isascii()XSI

isblank()

iscntrl()

isdigit()

isgraph()

islower()

isprint()

ispunct()

isspace()

isupper()

isxdigit()

toascii()XSI

toupper()

tolower()

Note: XSI denotes an X/Open System Interfaces Extension to ISO/IEC 9945—POSIX®. The These functions are not defined by the C standardStandard.

This rule is a specific instance of STR34-C. Cast characters to unsigned char before converting to larger integer sizes is a generalization of this rule.

Noncompliant Code Example

This noncompliant code example may pass invalid values to the isspace() function.On implementations where plain char is signed, this code example is noncompliant because the parameter to isspace(), *t, is defined as a const char *, and this value might not be representable as an unsigned char:

Code Block
bgColor#FFcccc
langc
#include <ctype.h>
#include <string.h>
 
size_t count_preceding_whitespace(const char *s) {
  const char *t = s;

  /* possibly *t < 0 */size_t length = strlen(s) + 1;
  while (isspace(*t) && isspace(*tt - s < length)) { 
    ++t;
  }
  return t - s;
}
 

The argument to isspace() must be EOF or representable as an unsigned char; otherwise, the result is undefined.

...

This compliant solution casts the character to unsigned char before passing it as an argument to the isspace() function.:

Code Block
bgColor#ccccff
langc
#include <ctype.h>
#include <string.h>
 
size_t count_preceding_whitespace(const char *s) {
  const char *t = s;
  size_t length = strlen(s) + 1;
  while (*t && isspace((unsigned char)*t) && (t - s < length)) { 
    ++t;
  }
  return t - s;
}
 

Risk Assessment

Passing values to character handling functions that cannot be represented as an unsigned char results in undefined program to character handling functions is undefined behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

STR37-C

low

Low

unlikely

Unlikely

low

Low

P3

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
ctype-limitsPartially checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-STR37Fully implemented
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
MISC.NEGCHARNegative character value
Compass/ROSE
  


Could detect violations of this rule by seeing if the argument to a character

-

handling function (listed above) is not an unsigned char

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.

PRQA QA-C Include PagePRQA_VPRQA_V Fully implemented

STR37

Fully implemented

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C4413, C4414

C++3051


Klocwork
Include Page
Klocwork_V
Klocwork_V
AUTOSAR.STDLIB.CCTYPE.UCHAR
MISRA.ETYPE.ASSIGN.2012


LDRA tool suite
Include Page
LDRA_V
LDRA_V
663 SFully implemented
Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-STR37-aDo not pass incorrect values to ctype.h library functions
Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule STR37-C

Checks for invalid use of standard library integer routine (rule fully covered)

RuleChecker

Include Page
RuleChecker_V
RuleChecker_V

ctype-limitsPartially checked
TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

valid_charPartially verified.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C

...

...

...

...

Cast characters to unsigned char before converting to larger integer sizesPrior to 2018-01-12: CERT: Unspecified Relationship

...

...

...

Passing arguments to character-handling functions that are not representable as unsigned char [chrsgnext]

...

Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-704,

...

Incorrect

...

Type Conversion or Cast2017-06-14: CERT: Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-686 and STR37-C

Intersection( CWE-686, STR37-C) = Ø

STR37-C is not about the type of the argument passed (which is signed int), but about the restrictions placed on the value in this type (must be 0-UCHAR_MAX or EOF). I interpret ‘argument type’ to be specific to the C language, so CWE-686 does not apply to incorrect argument values, just incorrect types (which is relatively rare in C, but still possible).

CWE-704 and STR37-C

STR37-C = Subset( STR34-C)

CWE-683 and STR37-C

Intersection( CWE-683, STR37-C) = Ø

STR37-C excludes mis-ordered function arguments (assuming they pass type-checking), because there is no easy way to reliably detect violations of CWE-683.

Bibliography

MITRE CWE: CWE-686, "Function call with incorrect argument type"

Bibliography

...

[ISO/IEC 9899:2024]7.4.1, "Character Handling <ctype.h>"
[Kettlewell 2002]
Section 1.1, "<ctype.h> and

...

Characters Types"


...

Image Modified Image Modified Image Modified