SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 128

changes.mady.by.user Aaron Ballman

Saved on

compared with

New Version 129

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: use sizeof *ptr) rather than sizeof type

Integer values used as a size argument to malloc(), calloc(), realloc(), or aligned_alloc() must be valid and large enough to contain the objects to be stored. If size arguments are incorrect or can be manipulated by an attacker, then a buffer overflow may occur. Incorrect size arguments, inadequate range checking, integer overflow, or truncation can result in the allocation of an inadequately sized buffer. The programmer must ensure that size arguments to memory allocation functions allocate sufficient memory.

Noncompliant Code Example

...

In this noncompliant code example, too little space is allocated for a struct tm object because the size of the pointer is being used to determine the size of the pointed-to object. This is a demonstration of EXP01-C. Do not take the size of a pointer to determine the size of the pointed-to type.

Code Block
bgColor#FFcccc
langc
#include <time.h>
 
struct tm *make_tm(int year, int mon, int day, int hour,
                   int min, int sec) {
  struct tm *tmb;
  tmb = (struct tm *)malloc(sizeof(tmb));
  if (tmb == NULL) {
    return NULL;
  }
  tmb->tm_sec = sec;
  tmb->tm_min = min;
  tmb->tm_hour = hour;
  tmb->tm_mday = day;
  tmb->tm_mon = mon;
  tmb->tm_year = year;
  return tmb;
}

Compliant Solution

 In this compliant solution, the correct amount of memory is allocated for the struct tm object.

...

bgColor#ccccff
langc

...

(

...

Noncompliant Code Example (Size Calculation)

In this noncompliant code example, an array of long is allocated and assigned to p. However, sizeof(int) is used to size the allocated memory. If sizeof(long) is larger than sizeof(int), then an insufficient amount of memory is allocated.

...

The code also ensures that len is not equal to zero. (See MEM04-C. Do not perform zero-length allocations.)

Noncompliant Code Example

In this noncompliant code example, too little space is allocated for a struct tm object because the size of the pointer is being used to determine the size of the pointed-to object. This is a demonstration of EXP01-C. Do not take the size of a pointer to determine the size of the pointed-to type.

Code Block
bgColor#FFcccc
langc
#include <time.h>
 
struct tm *make_tm(int year, int mon, int day, int hour,
                   int min, int sec) {
  struct tm *tmb;
  tmb = (struct tm *)malloc(sizeof(tmb));
  if (tmb == NULL) {
    return NULL;
  }
  tmb->tm_sec = sec;
  tmb->tm_min = min;
  tmb->tm_hour = hour;
  tmb->tm_mday = day;
  tmb->tm_mon = mon;
  tmb->tm_year = year;
  return tmb;
}

Compliant Solution

 In this compliant solution, the correct amount of memory is allocated for the struct tm object.

Code Block
bgColor#ccccff
langc
#include <time.h>
 
struct tm *make_tm(int year, int mon, int day, int hour,
                   int min, int sec) {
  struct tm *tmb;
  tmb = (struct tm *)malloc(sizeof(*tmb));
  if (tmb == NULL) {
    return NULL;
  }
  tmb->tm_sec = sec;
  tmb->tm_min = min;
  tmb->tm_hour = hour;
  tmb->tm_mday = day;
  tmb->tm_mon = mon;
  tmb->tm_year = year;
  return tmb;
}

Risk Assessment

Providing invalid size arguments to memory allocation functions can lead to buffer overflows and the execution of arbitrary code with the permissions of the vulnerable process.

...