SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 36

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 37

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type. However, using the sizeof operator to determine the size of arrays is error prone.

Non-Compliant Code Example

Wiki Markup
In this non-compliant code example, the function {{clear()}} zeros the elements in an array. The function has one parameter declared as {{int array\[\]}} and is passed a static array consisting of twelve {{int}} as the argument. The function {{clear()}} uses the idiom {{sizeof (array) / sizeof (array\[0\])}} to determine the number of elements in the array.  However, {{array}} has a pointer type because it is a parameter.  As a result, {{sizeof(array)}} is {{sizeof(int \*)}}.  For example, in GCC on IA32, the expression {{sizeof (array) / sizeof (array\[0\])}} evaluates to 1, regardless of the length of the array passed, leaving the rest of the array unaffected.

...

This applies to all array parameters, even if the parameter declaration contains an index.

Compliant Solution

In this compliant solution, the size of the array is determined inside the block in which it is declared and passed as an argument to the function.

Code Block
bgColor#ccccff
void clear(int array[], size_t size) {
  size_t i;
  for (i = 0; i < size; i++) {
     array[i] = 0;
  }
}
/* ... */
int dis[12];

clear(dis, sizeof (dis) / sizeof (dis[0]));
/* ... */

Risk Assessment

Incorrectly using the sizeof operator to determine the size of an array can result in a buffer overflow, allowing the execution of arbitrary code.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ARR00 ARR01-A

3 ( high )

2 ( probable )

3 ( low )

P18

L1

Automated Detection

The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.

The tool Compass Rose can detect violations of the recommendation, but it cannot distinguish between incomplete array declarations and pointer declarations.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.7.5.2, "Array declarators"
\[[Drepper 06|AA. C References#Drepper 06]\] Section 2.1.1, "Respecting Memory Bounds"

...

06. Arrays (ARR)ARR00-A. Understand how arrays work      06. Arrays (ARR)       ARR30-C. Guarantee that array indices are within the valid range