Page History

Location

Before (with error)

After (with correction)

Rationale

Taint and Tainted Sources

Material from this section was contributed to ISO/IEC TS 17961:2013.

Taint and Tainted Sources

...Brendan Saulsbury,Robert C. Seacord...

...Brendan Saulsbury, Roger Scott, Robert C. Seacord...

The SEI CERT Secure Coding Team

Aaron Ballman, Lori Flynn, David Keaton, William Klieber, Robert Schiela, William Snavely, and David Svoboda

The SEI CERT Secure Coding Team

Lori Flynn, William Klieber, Robert Schiela, and David Svoboda

Noncompliant Code Example (Header Guard)
A common, but noncompliant, practice is to choose a reserved name for a macro used in a prepro-
cessor conditional guarding against multiple inclusions of a header file. (See also PRE06-C. En-
close header files in an inclusion guard.)

Compliant Solution (Header Guard)
This compliant solution avoids using leading underscores in the name of the header guard:

However, compilers are free to implement arg.b = 2 by setting the low byte of a 32-bit register
to 2 , leaving the high bytes unchanged and storing all 32 bits of the register into memory. This
implementation could leak the high-order bytes resident in the register to a user.

memcpy(buf + offset, &arg.c, sizeof(arg.c));
offset += sizeof(arg.c);

  memcpy(buf + offset, &arg.c, sizeof(arg.c));
  offset += sizeof(arg.c);
  /* Set all remaining bytes to zero */
  memset(buff + offset, 0, sizeof(arg) - offset);

However, compilers are free to implement the initialization of arg.a and arg.b by setting the
low byte of a 32-bit register to the value specified, leaving the high bytes unchanged and storing
all 32 bits of the register into memory. This implementation could leak the high-order bytes resi-
dent in the register to a user.

MISRA C:2012 Rule 12.1 (advisory)

static unsigned int tun_chr_poll(struct file *file, poll_table
*wait) {
struct tun_file *tfile = file->private_data;
struct tun_struct *tun = __tun_get(tfile);
struct sock *sk;
unsigned int mask = 0;
if (!tun)
return POLLERR;
sk = tun->sk;
/* T

static unsigned int tun_chr_poll(struct file *file, poll_table *wait)  {
  assert(file);
  struct tun_file *tfile = file->private_data;
  struct tun_struct *tun = __tun_get(tfile);
  struct sock *sk;
  unsigned int mask = 0;
 
  if (!tun)
    return POLLERR;
  assert(tun->dev);
  sk = tun->sk;
  assert(sk);
  assert(sk->socket);
  /* The remaining code is omitted because it is unchanged... */
}

On such an architecture, improper pointer alignment is permitted but remains an efficiency problem.

On such an architecture, improper pointer alignment is permitted but remains an efficiency problem.

The x86 32- and 64-bit architectures...

...but they must also ensure that their compiler, along with its optimizer, also respect these guarantees.

  if (wp->j == 12) {
    /* ... */
  }
}

  if (wp->j == 12) {
    /* ... */
  }
  /* ... */
  free(wp);
}

  if (wp->j == 12) {
    /* ... */
  }
}

  if (wp->j == 12) {
    /* ... */
  }
  /* ... */
  free(wp);
}

if ((left && right) &&
    (0 == memcmp(left, right, sizeof(struct s)))) {

if (0 == memcmp(left, right, sizeof(struct s))) {

if ((left && right) &&
    (0 == memcmp(left, right, sizeof(struct s)))) {

4.13.1
Noncompliant Code Example

Performing assignment statements in other contexts do not violate this rule. However, they may violate other rules, such as EXP30-C. Do not depend on the order of evaluation for side effects.

4.13.1
Noncompliant Code Example

p. 150, Section 5.3.5.2

This compliant solution eliminates signed overflow on systems where long is at least twice the precision of int:

This compliant solution eliminates signed overflow on systems where long long is at least twice the precision of int:

The phrase should be “long long” not “long.”

p. 186 Section 6.3.2

if (PRECISION(INT_MAX) < log2f(fabsf(f_a)) ||
(f_a != 0.0F && fabsf(f_a) < FLT_MIN)) {
/* Handle error */

  if (isnan(f_a) ||
      PRECISION(INT_MAX) < log2f(fabsf(f_a)) ||
      (f_a != 0.0F && fabsf(f_a) < FLT_MIN)) {
    /* Handle error */

if (isgreater(fabs(d_a), FLT_MAX) ||
isless(fabs(d_a), FLT_MIN)) {
/* Handle error */
} else {
f_a = (float)d_a;
}
if (isgreater(fabsl(big_d), FLT_MAX) ||
isless(fabsl(big_d), FLT_MIN)) {
/* Handle error */
} else {
f_b = (float)big_d;
}
if (isgreater(fabsl(big_d), DBL_MAX) ||
isless(fabsl(big_d), DBL_MIN)) {
/* Handle error */

if (d_a != 0.0 &&
      (isnan(d_a) ||
       isgreater(fabs(d_a), FLT_MAX) ||
       isless(fabs(d_a), FLT_MIN))) {
    /* Handle error */
  } else {
    f_a = (float)d_a;
  }
  if (big_d != 0.0 &&
      (isnan(big_d) ||
       isgreater(fabs(big_d), FLT_MAX) ||
       isless(fabs(big_d), FLT_MIN))) {
    /* Handle error */
  } else {
    f_b = (float)big_d;
  }
  if (big_d != 0.0 &&
      (isnan(big_d) ||
       isgreater(fabs(big_d), DBL_MAX) ||
       isless(fabs(big_d), DBL_MIN))) {
    /* Handle error */

p. 203, Section 7.2.1

In this noncompliant code example, a variable length array of size is declared.

In this noncompliant code example, a variable length array of size size is declared.

The second ”size” was missing.

p. 226, Section 8.1

A character string literal is a sequence of zero or more multibyte characters enclosed in double-quotes, as in "xyz."

A character string literal is a sequence of zero or more multibyte characters enclosed in double-quotes, as in "xyz".

The period should appear outside the quote, not inside the quote because the quote is part of the character string.

The code checks for unsigned integer overflow in compliance with INT32-C. Ensure that operations on signed integers do not result in overflow and also ensures that len is not equal to zero.

  if (msg != NULL) {
    /* Handle error */
  }

  if (msg == NULL) {
    /* Handle error */
  }

p. 286, Section 10.2.2

When opening a FIFO with O_RDONLY or O_WRONLY set:

When opening a block special or character special file that supports nonblocking opens:

Otherwise, the behavior of O_NONBLOCK is unspecified.

When opening a FIFO with O_RDONLY or O_WRONLY set:

• If O_NONBLOCK is set, an open() for reading-only returns without delay. An open() for writing-only returns an error if no process currently has the file open for reading.
• If O_NONBLOCK is clear, an open() for reading-only blocks the calling thread until a thread opens the file for writing. An open() for writing-only blocks the calling thread until a thread opens the file for reading.

When opening a block special or character special file that supports nonblocking opens:

• If O_NONBLOCK is set, the open() function returns without blocking for the device to be ready or available; subsequent behavior is device-specific.
• If O_NONBLOCK is clear, the open() function blocks the calling thread until the device is ready or available before returning.

Otherwise, the behavior of O_NONBLOCK is unspecified.

Bulleted items were missing.

p. 365, Section 12.2.3

Signal handlers can refer to objects with static or thread storage a duration that are lock-free atomic objects, as in this compliant solution:

Signal handlers can refer to objects with static or thread storage durations that are lock-free atomic objects, as in this compliant solution:

The phrase should be “storage durations” not “storage a duration.”

• Those that set errno and return and out-of-band error indicator
• Those that set errno and return and in-band error indicator

• Those that set errno and return an out-of-band error indicator
• Those that set errno and return an in-band error indicator

p. 447, Section   14.11.1

This noncompliant code example declares a shared atomic_boolflag variable and provides a toggle_flag() method that negates the current value of flag:

This noncompliant code example declares a shared atomic_bool flag variable and provides a toggle_flag() method that negates the current value of flag:

The variable should be “atomic_bool flag,” not “atomic_boolflag.”

137 The macro va_arg is invoked using the parameter ap that was
passed to a function that invoked the macro va_arg with the same
parameter (7.16). CON37-C