SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 81

changes.mady.by.user Liz Whiting

Saved on

compared with

New Version 82

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFCCCC
langc
void getPassword(void) {
  char pwd[64];
  if (retrievePassword(pwd, sizeof(pwd))) {
    /* Checking of password, secure operations, etc. */
  }
  memset(pwd, 0, sizeof(pwd));
  *(volatile char*)pwd= *(volatile char*)pwd;
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Automated Detection

ToolVersionCheckerDescription
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
BADFUNC.MEMSETUse of memset
LDRA tool suite
Include Page
LDRA_V
LDRA_V
35 S, 57 S, 8 D,
65 D, 76 D, 105 D,
I J, 3 J		Partially Implementedimplemented

Related Guidelines

SEI CERT C++ Coding StandardMSC06-CPP. Be aware of compiler optimization when dealing with sensitive data
CERT Oracle Secure Coding Standard for JavaMSC01-J. Do not use an empty infinite loop
MITRE CWECWE-14, Compiler removal of code to clear buffers

...

[ISO/IEC 9899:2011]Subclause 6.8.5, "Iteration Statements"
Subclause K.3.7.4.1, "The memset_s Function"
[MSDN]"SecureZeroMemory"
"Optimize (C/C++)"
[US-CERT]"MEMSET"
[Wheeler 2003]Section 11.4, "Specially Protect Secrets (Passwords and Keys) in User Memory"

 

...

 

...