You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type. If the type of the operand is not a variable length array type the operand is not evaluated.

Providing an expression that appears to produce side effects may be misleading to programmers who are not aware that these expressions are not evaluated. As a result, programmers may make invalid assumptions about program state leading to errors and possible software vulnerabilities.

Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.

Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP06-A

1 (low)

1 (unlikely)

3 (low)

P3

L3

Examples of vulnerabilities resulting from the violation of this recommendation can be found on the
CERTwebsite.

References

[[ISO/IEC 9899-1999]] Section 6.5.3.4, "The sizeof operator"

  • No labels