According to Section 7.4 of C99 (see also bullet 107 of Appendix J):
The header
<ctype.h>
declares several functions useful for classifying and mapping characters. In all cases the argument is anint
, the value of which shall be representable as anunsigned char
or shall equal the value of the macroEOF
. If the argument has any other value, the behavior is undefined.
Compliance with this rule is complicated by the fact that the char
data type might, in any implementation, be signed or unsigned.
The following character classification functions are affected:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: XSI denotes an X/Open System Interfaces Extension to [ISO/IEC 9945] – POSIX ®. The functions are not defined by C99.
A generalization of this rule is STR34-C. Cast characters to unsigned types before converting to larger integer sizes.
Noncompliant Code Example
This noncompliant code example may pass invalid values to the isspace()
function.
size_t count_preceding_whitespace(const char *s) { const char *t = s; /* possibly *t < 0 */ while (*t && isspace(*t)) { ++t; } return t - s; }
The argument to isspace()
must be EOF or representable as an unsigned char
; otherwise, the result is undefined.
Compliant Solution
This compliant solution casts the character to unsigned char
before passing it as an argument to the isspace()
function.
size_t count_preceding_whitespace(const char *s) { const char *t = s; while (*t && isspace((unsigned char)*t)) { ++t; } return t - s; }
Risk Assessment
Passing values to character handling functions that cannot be represented as an unsigned char
results in undefined program behavior.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
STR37-C |
low |
unlikely |
low |
P3 |
L3 |
Automated Detection
Compass/ROSE could detect violations of this rule by seeing if the argument to a character-handling function (listed above) is not an unsigned char
.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C++ Secure Coding Standard as STR37-CPP. Arguments to character handling functions must be representable as an unsigned char.
References
[[ISO/IEC 9899:1999]] Section 7.4, "Character handling <ctype.h
>"
[[Kettlewell 02]] Section 1.1, "<ctype.h
> And Characters Types"
[[MITRE 07]] CWE ID 704, "Incorrect Type Conversion or Cast," CWE ID 686, "Function Call With Incorrect Argument Type"
STR36-C. Do not specify the bound of a character array initialized with a string literal 07. Characters and Strings (STR) STR38-C. Do not use wide-char functions on narrow-char strings and vice versa