...
Padding units might contain sensitive data because the C Standard allows any padding to take unspecified values. A pointer to such a structure could be passed to other functions, causing information leakage.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DCL39-C | Low | Unlikely | High | P1 | L3 |
Automated Detection
Tool | Version | Checker | Description | |||||
|---|---|---|---|---|---|---|---|---|
| Klocwork |
| PORTING.STORAGE.STRUCT PORTING.STRUCT.BOOL |
| Parasoft C/C++test |
| SECURITY-46 | Implemented |
Related Vulnerabilities
Numerous vulnerabilities in the Linux Kernel have resulted from violations of this rule. CVE-2010-4083 describes a vulnerability in which the semctl() system call allows unprivileged users to read uninitialized kernel stack memory because various fields of a semid_ds struct declared on the stack are not altered or zeroed before being copied back to the user.
...
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | DCL03-C. Use a static assertion to test the value of a constant expression | Prior to 2018-01-12: CERT: Unspecified Relationship |
Bibliography
| [ISO/IEC 9899:2011] | 6.2.6.1, "General" 6.7.2.1, "Structure and Union Specifiers" |
| [Graff 2003] |
| [Sun 1993] |
...
...