SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 75

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Dynamically allocated buffers dynamically resize as additional memory is required. Dynamic approaches scale better and do not discard excess data. The major disadvantage is that, if inputs are not limited, they can exhaust memory on a machine and consequently be used in denial-of-service attacks.

Dynamic allocation is often disallowed in safety-critical systems. For example, the MISRA standard requires that "dynamic heap memory allocation shall not be used" [MISRA 2004]. Some safety-critical systems can take advantage of dynamic memory allocation during initialization but not during operations. For example, avionics software may dynamically allocate memory while initializing the aircraft but not during flight.

A number of existing libraries are available for managing string data; the library selected depends on the approach adopted for managing null-terminated byte strings. The functions defined by the C Standard, Section subclause 7.24, are primarily intended for managing statically allocated strings. However, these functions are problematic because many of them are insufficiently bounded. Consequently, this standard recommends using the ISO/IEC TR 24731-1 [ISO/IEC TR 24731-1:2007] C11 Annex K functions with statically allocated arrays. (See STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code.) These functions provide bounds-checking interfaces to protect against buffer overflows and other runtime constraint violations.

ISO/IEC TR 24731 -2 Part II offers another approach, supplying functions that allocate enough memory for their results [ISO/IEC TR 24731-2]. It provides an API that dynamically allocates the results of string functions as needed. Almost all of the APIs in this technical report are also in a current International Standardinternational standard. For example, TR 24731 -2 Part II includes POSIX functions, such as strdup() [ISO/IEC 9945:2003], as well as functions from the Linux Standard Base Core Specification such as asprintf() [ISO/IEC 23360-1:2006].

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

STR01-C

lowLow

unlikelyUnlikely

highHigh

P1

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Secure Coding StandardVOID STR01-CPP. Adopt and implement a consistent plan for managing stringsISO/IEC TR 24731-1:2007 
ISO/IEC TR 24731-2:2010 
MISRA C:2012Directive 4.12 (required)

...

[CERT 2006c] 
[ISO/IEC 9945:2003] 
[ISO/IEC 23360-1:2006] 
[Seacord 2013]Chapter 2, "Strings"

 

...

Image Modified Image Modified Image Modified