SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 53

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 54

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Section 7.21.7.2 of the C standard Standard [ISO/IEC 9899:2011] says,

...

V. 5.0 ""

Tool

Version

Checker

Description

Fortify SCA

 

 

Compass/ROSE

 

 

Could detect some violations of this rule. In particular, it could detect the noncompliant code example by searching for fgets(), followed by

strlen() - 1

, which could be −1. The crux of this rule is that a string returned by fgets() could still be empty, because the first char is '\0'. There are probably other code examples that violate this guideline; they would need to be enumerated before ROSE could detect them.

Fortify SCA

5.0

 

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard

...

FIO37-CPP. Do not assume character data has been read

ISO/IEC 9899:2011 Section 7.21.7.2, "The fgets function"

MITRE CWE

...

CWE-119,

...

Failure to constrain operations within the bounds of an allocated memory buffer

...


...

CWE-241,

...

Failure to handle wrong data type

...

Bibliography

[ISO/IEC 9899:2011]Section 7.21.7.2, "The fgets Function"
[Lai 2006] 
[Seacord 2005a]Chapter 2, "Strings"