SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 36

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 37

changes.mady.by.user Martin Sebor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added GCC -Wchar-subscripts to Automated Detection.

...

Tool

Version

Checker

Description

Section

LDRA tool suite

Include Page
c:LDRA_V
c:LDRA_V

 

 

Section

Fortify SCA

Section

V. 5.0

 

Section

can detect violations of this rule with CERT C Rule Pack

Section

Compass/ROSE

 

 

Section

can detect violations of this rule when checking for violations of guideline INT07-C. Use only explicitly signed or unsigned char type for numeric values

GCC

2.95 and later

-Wchar-subscripts

Detects objects of type char used as array indices.

Related Vulnerabilities

Wiki Markup
[CVE-2009-0887|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0887] results from a violation of this rule. In Linux PAM (up to version 1.0.3), the {{libpam}} implementation of strtok casts a (potentially signed) character to an integer, for use as an index to an array. An attacker can exploit this by inputting a string with non-ASCII characters, causing the cast to result in a negative index and accessing memory outside of the array \[[xorl 2009|http://xorl.wordpress.com/2009/03/26/cve-2009-0887-linux-pam-singedness-issue/]\].

...