SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 33 Next »

Do not use the same variable name in two scopes where one scope is contained in another. Examples include

  • No other variable should share the name of a global variable if the other value is in a subscope of the global variable.
  • A block should not declare a variable with the same name as a variable declared in any block that contains it.

Reusing variable names leads to programmer confusion about which variable is being modified. Additionally, if variable names are reused, generally one or both of the variable names are too generic.

Non-Compliant Code Example (strpcy())

In this non-compliant code example, the programmer sets the value of the msg variable, expecting to reuse it outside the block. Due to the reuse of the variable name, however, the outside msg variable value is not changed.

char msg[100];
/* ... */
void error_message(char *error_msg) {
  char msg[80];
  /* ... */
  strcpy(msg, err_msg);  /* error_msg is assumed to reference a NTBS of len 99 or less */
  return;
}

Furthermore, if the length of the null-terminated byte string referenced by error_msg is greater than 79 characters in length, a buffer overflow will occur on the stack, which may be exploitable.

Non-Compliant Code Example (strcpy_s())

In this non-compliant code example, the call to strpcy() has been replaced with a call to strcpy_s(). See [[STR00-A. Use TR 24731 for remediation of existing string manipulation code]] for more information on using strcpy_s().

char msg[100];
/* ... */
void error_message(char *error_msg) {
  char msg[80];
  /* ... */

  /* error_msg is assumed to reference a NTBS of length 99 or less */
  errno_t e = strcpy_s(msg, sizeof(msg), error_msg);
  if (e != 0) {
     /* handle strcpy_s() error */
  }
}

This code fixes one of the two problems from the previous non-compliant code example: it eliminates the possibility of buffer overflow because two references to msg in strcpy_s() both refer to msg[80] defined in the subscope. The initial problem of not changing the value of the outside msg variable value remains. The call to strcpy_s() will also fail if the length of the null-terminated byte string referenced by error_msg is longer than 79 characters in length.

Compliant Solution

This compliant solution uses different, more descriptive variable names. Also it uses strcpy_s().

char system_msg[100];
/* ... */
void error_message(char *error_msg) {
  char default_msg[80];
  /* ... */

  /* error_msg is assumed to reference a NTBS of length 99 or less */  
  errno_t e = strcpy_s(system_msg, 100, error_msg);
  if (e != 0) {
     /* handle strcpy_s() error */
  }
}

When the block is small, the danger of reusing variable names is mitigated by the visibility of the immediate declaration. Even in this case, however, variable name reuse is not desirable.

Risk Assessment

Reusing a variable name in a subscope can lead to unintended values for the variable.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

DCL01-A

1 (low)

1 (unlikely)

2 (medium)

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899-1999]] Section 5.2.4.1, "Translation limits"
[[MISRA 04]] Rule 5.2

DCL00-A. Declare immutable values using enum or const      02. Declarations and Initialization (DCL)       DCL02-A. Use visually distinct identifiers

  • No labels