SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 94

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft C/C++test 2023.1

An object of type void * is a generic data pointer. It can point to any data object. For any incomplete or object type T, C permits implicit conversion from T * to void * or from void * to T *. The standard C library uses void * to declare parameters and return types of functions designed to work for objects of different types. Such is the case with the standard   C Standard memory allocation functions aligned_alloc(), malloc(), calloc(), and realloc() use void * to declare parameters and return types of functions designed to work for objects of different types.

For example, the C library declares malloc() as

...

Calling malloc(s) allocates memory for an object whose size is s and returns either a null pointer or a pointer to the allocated memory. A program can implicitly convert the pointer that malloc() returns into a different pointer type.

Because objects returned by the C Standard memory allocation functions are implicitly converted into any object type, we recommend casting the results of these functions into a pointer of the allocated type because it increases the chances that the compiler will catch and diagnose a mismatch between the intended type of the object and the actual type of the object.

Noncompliant Code Example

...

A small collection of macros can provide secure implementations for common uses for the standard memory allocation functions. The omission of a REALLOC() macro is intentional . (See MEM08see EXP39-C. Use realloc() only to resize dynamically allocated arrays.)Do not access a variable through a pointer of an incompatible type).

Code Block
bgColor#ccccff
langc
/* Allocates a single object using malloc() */
#define MALLOC(type) ((type *)malloc(sizeof(type)))

/* Allocates an array of objects using malloc() */
#define MALLOC_ARRAY(number, type) \
    ((type *)malloc((number) * sizeof(type)))

/* 
 * Allocates a single object with a flexible
 * array member using malloc().
 */
#define MALLOC_FLEX(stype, number, etype) \
    ((stype *)malloc(sizeof(stype) \
    + (number) * sizeof(etype)))

/* Allocates an array of objects using calloc() */
#define CALLOC(number, type) \
    ((type *)calloc(number, sizeof(type)))

/* Reallocates an array of objects using realloc() */
#define REALLOC_ARRAY(pointer, number, type) \
    ((type *)realloc(pointer, (number) * sizeof(type)))

/* 
 * Reallocates a single object with a flexible
 * array member using realloc().
 */
#define REALLOC_FLEX(pointer, stype, number, etype) \
    ((stype *)realloc(pointer, sizeof(stype) \
    + (number) * sizeof(etype)))

...

If one or more of the operands to the multiplication operations used in many of these macro definitions can be influenced by untrusted data, these operands should be checked for overflow before the macro is invoked . (See see INT32-C. Ensure that operations on signed integers do not result in overflow).)

The use of type-generic function-like macros is an allowed exception (PRE00-C-EX4) to PRE00-C. Prefer inline or static functions to function-like macros.

Exceptions

MEM02-C-EX1: Do not immediately cast the results of malloc() for code that will be compiled using a C90-conforming compiler because it is possible for the cast to hide a more critical defect . See (see DCL31-C. Declare identifiers before using them for a code example that uses malloc() without without first declaring it).

Risk Assessment

Failing to cast the result of a memory allocation function call into a pointer to the allocated type can result in inadvertent pointer conversions. Code that follows this recommendation will compile and execute equally well in C++.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MEM02-C

Low

Unlikely

Low

P3

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
alloc-without-cast
Partially checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-MEM02Fully implemented
Compass/ROSE

 

 



Can detect some violations of this recommendation when checking EXP36-C. Do not

convert

cast pointers into more strictly aligned pointer types

ECLAIR
Include Page
ECLAIR_V
ECLAIR_V
CC2.MEM02Fully implemented

Fortify SCA

5.0

 

Can detect violations of this rule with CERT C Rule Pack

LDRA tool suite

Include PageLDRA_VLDRA_V

 

 

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0695
Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-MEM02-a
CERT_C-MEM02-b

The result of the memory allocation function should be cast immediately
The result of the memory allocation function should be cast immediately into a pointer to the allocated type

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

908

Assistance provided: reports implicit conversions from void* to another type

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. MEM02-C


Checks for wrong allocated object size for cast (rule fully covered)

RuleChecker

Include Page
RuleChecker_V
RuleChecker_V

alloc-without-cast
Partially checked
PRQA QA-C Include PagePRQA_VPRQA_V0695Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++
Secure
Coding StandardVOID MEM02-CPP. Immediately cast the result of a memory allocation function call into a pointer to the allocated type

Bibliography

[Summit 2005]Question 7.7
Question 7.7b

...


...

Image Modified Image Modified Image Modified