SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 124

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 125

changes.mady.by.user Aaron Ballman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFcccc
langc
#include <stdlib.h>
 
enum { BLOCKSIZE = 16 };
/* ... */
void *alloc_blocks(size_t num_blocks) {
  if (num_blocks == 0) {
    return NULL;
  }
  unsigned long long alloc = num_blocks * BLOCKSIZE ;
  return (alloc < UINT_MAX)
     ? malloc(num_blocks * BLOCKSIZE )
     : NULL;
}

...

If both size_t and unsigned long long types are represented as a 64-bit unsigned value, the result of the multiplication operation may not be representable as an unsigned long long value. See INT35 INT18-C. Evaluate integer expressions in a larger size before comparing or assigning to that size for more information on upcasting.

...

Code Block
bgColor#ccccff
langc
#include <stdlib.h>
 
enum { BLOCKSIZE = 16 };
/* ... */
void *alloc_blocks(size_t num_blocks) {
  if (num_blocks == 0 || num_blocks > SIZE_MAX / BLOCKSIZE)
    return NULL;
  return malloc(num_blocks * BLOCKSIZE);
}

...

Code Block
bgColor#FFcccc
langc
int len;
#include <string.h>
 
enum { BUFF_SIZE = 32 };
 
void func(const char *str;
, int len) {
  char buf[BUFF_SIZE];

/* ... */
if (len < BUFF_SIZE){
    memcpy(buf, str, len);
}
/* ... */}
}

Compliant Solution (Range Checking)

...

Code Block
bgColor#ccccff
langc
size_t len;
#include <string.h>
 
enum { BUFF_SIZE = 32 };
 
void func(const char *str;
, size_t len) {
  char buf[BUFF_SIZE];

/* ... */
if (len < BUFF_SIZE){
    memcpy(buf, str, len);
  }
/* ... */}

See INT01-C. Use rsize_t or size_t for all integer values representing the size of an object for more information on representing the size of objects.

...

Code Block
bgColor#FFcccc
langc
#include <stdlib.h>
 
void function(size_t len) {
   long *p;
   if (len == 0 || len > SIZE_MAX / sizeof(long)) {
      /* Handle overflow */
   }
   p = (long *)malloc(len * sizeof(int));
   if (p == NULL) {
      /* Handle error */
   }
   /* ... */
   free(p);
}

This example also checks for unsigned integer overflow in compliance with INT32-C. Ensure that operations on signed integers do not result in overflow.

...

Code Block
bgColorccccff
langc
#include <stdlib.h>
void function(size_t len) {
   long *p;
   if (len == 0 || len > SIZE_MAX / sizeof(long)) {
      /* Handle overflow */
   }
   p = (long *)malloc(len * sizeof(long));
   if (p == NULL) {
      /* Handle error */
   }
   /* ... */
   free(p);
}

Alternatively, sizeof(*p) can be used to properly size the allocation:

Code Block
bgColorccccff
langc
#include <stdlib.h>
 
void function(size_t len) {
   long *p;
   if (len == 0 || len > SIZE_MAX / sizeof(*p)) {
      /* Handle overflow */
   }
   p = (long *)malloc(len * sizeof(*p));
   if (p == NULL) {
      /*   Handle error */
   }
   /* ... */
   free(p);
}

The code also ensures that len is not equal to zero. (See MEM04-C. Do not perform zero-length allocations.)

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C Secure Coding StandardINT01-C. Use rsize_t or size_t for all integer values representing the size of an object
INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data
INT32-C. Ensure that operations on signed integers do not result in overflow
INT18-C. Evaluate integer expressions in a larger size before comparing or assigning to that size
MEM04-C. Do not perform zero-length allocations
CERT C++ Secure Coding StandardMEM35-CPP. Allocate sufficient memory for an object
ISO/IEC TR 24772:2013Buffer Boundary Violation (Buffer Overflow) [HCB]
MITRE CWECWE-190, Integer overflow (wrap or wraparound)
CWE-131, Incorrect calculation of buffer size

...