SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 94

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 95

changes.mady.by.user Anirban Gangopadhyay

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added Polyspace Bug Finder

...

Porting code with hard-coded sizes can result in a buffer overflow or related vulnerability.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

EXP09-C

High

Unlikely

Medium

P6

L2

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE

 

 



Can detect violations of this recommendation. In particular, it looks for the size argument of malloc(), calloc(), or realloc() and flags when it does not find a sizeof operator in the argument expression. It does not flag if the return value is assigned to a char *; in this case a string is being allocated, and sizeof is unnecessary because sizeof(char) == 1

ECLAIR
Include Page
ECLAIR_V
ECLAIR_V
CC2.EXP09Can detect violations of this recommendation. In particular, it considers when the size of a type is used by malloc(), calloc() or realloc() and flags these functions if either the size argument does not use a sizeof operator, or the size argument uses sizeof, but the type of the returned value is not a pointer to the type of the argument to sizeof. It does not flag if the returned value is assigned to a char *
LDRA tool suite
Include Page
LDRA_V
LDRA_V

201 S

Partially implemented

Polyspace Bug Finder

R2016bHard-coded object size used to manipulate memoryMemory manipulation with hard-coded size instead of sizeof

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID EXP09-CPP. Use sizeof to determine the size of a type or variable
MITRE CWECWE-805, Buffer access with incorrect length value

...


...