SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 136

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 137

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: minor edits; reviewed

Integer values used as a size argument to malloc(), calloc(), realloc(), or aligned_alloc() must be valid and large enough of sufficient size to contain the objects to be stored. If size arguments are incorrect or can be manipulated by an attacker, then a buffer overflow may occur. Incorrect size arguments, inadequate range checking, integer overflow, or truncation can result in the allocation of an inadequately sized buffer.

Typically the amount of memory to allocate will be the size of the type of object to allocate. When allocating space for an array, the size of the object will be multiplied by the bounds of the array. Use the correct type of the object when computing the size of chunk to allocate.

STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator is a specific instance of this rule.

Noncompliant Code Example (Integer)

In this noncompliant code example, an array of long is allocated and assigned to p.   This example also The code checks for unsigned integer overflow in compliance with INT32-C. Ensure that operations on signed integers do not result in overflowThe code and also ensures that len is not equal to zero . (See see MEM04-C. Beware of zero-length allocations.)  HoweverUnfortunately, because sizeof(int) is used to size the allocated memory. If memory an insufficient amount of memory can be allocated on implementations where sizeof(long) is larger than sizeof(int), then an insufficient amount of memory is allocated .

Code Block
bgColor#FFcccc
langc
#include <stdlib.h>
 
void function(size_t len) {
   long *p;
   if (len == 0 || len > SIZE_MAX / sizeof(long)) {
      /* Handle overflow */
   }
   p = (long *)malloc(len * sizeof(int));
   if (p == NULL) {
      /* Handle error */
   }
   free(p);
}

...

In this noncompliant code example, too little inadequate space is allocated for a struct tm object because the size of the pointer is being used to determine the size of the pointed-to object.

...

Tool

Version

Checker

Description

Compass/ROSE

 

 

could check violations of this rule by examining the size expression to malloc() or memcpy() functions. Specifically, the size argument should be bounded by 0, SIZE_MAX, and, unless it is a variable of type size_t or rsize_t, it should be bounds-checked before the malloc() call. If the argument is of the expression a*b, then an appropriate check is:

Code Block
if (a < SIZE_MAX / b && a > 0) ...

Coverity

Include Page
Coverity_V
Coverity_V

BAD_ALLOC_STRLEN


SIZECHECK

Can find instances where string length is miscalculated (length calculated may be one less than intended) for memory allocation purposes. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary

Finds memory allocations that are assigned to a pointer that reference objects larger than the allocated block

Fortify SCA

5.0

 

Can detect violations of this rule with CERT C Rule Pack, except those involving the sizeof operator

Klocwork

9.1

INCORRECT.ALLOC_SIZE

 

LDRA tool suite

Include Page
LDRA_V
LDRA_V

487 S
577 S 

Fully implemented
Fully implemented 

Splint

3.1.1  

Related Vulnerabilities

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...