SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 57

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 58

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Bitwise operators include the complement operator ~, bitwise shift operators >> and <<, bitwise AND operator &, bitwise exclusive OR operator ^, and bitwise inclusive OR operator |. Bitwise operators should only be used with unsigned integer operands, as the results of some bitwise operations on signed integers is implementation defined.

Noncompliant Code Example (

...

Right Shift)

The right-shift operation may be implemented as either an arithmetic (signed) shift or a logical (unsigned) shift. If E1 in the expression E1 >> E2 has a signed type and a negative value, the resulting value is implementation defined. Also, be careful to avoid undefined behavior while performing a bitwise shift. (see See guideline INT34-C. Do not shift a negative number of bits or more bits than exist in the operand.).

Wiki Markup
This noncompliant code example can result in an error condition on [implementations|BB. Definitions#implementation] in which an arithmetic shift is performed, and the sign bit is propagated as the number is shifted \[[Dowd 062006|AA. Bibliography#Dowd 06]\].

...

Also, consider using the sprintf_s() function defined in ISO/IEC TR 24731-1, instead of snprintf(), to provide some additional checks. (see See guideline STR07-C. Use TR 24731 for remediation of existing string manipulation code.).

Exceptions

INT13-EX1: When used as bit flags, it is acceptable to use preprocessor macros as arguments to the & and | operators even if the value is not explicitly declared as unsigned.

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT13-C

high

unlikely

medium

P6

L2

Automated Detection

...

Tool

Version

Checker

Description

Section

LDRA tool suite

...

Include Page
c:LDRA_V
c:LDRA_V

 

 

Section

Fortify SCA

Section

V. 5.0

 

Section

with the CERT C Rule Pack can detect violations of this recommendation

...

Section

Splint

Include Page
c:Splint_V
c:Splint_V

 

 

Section

...

Compass/ROSE

 

 

Section

can detect violations of this rule. In particular, it flags bitwise operations that involved variables not declared with unsigned type

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

This rule appears in the C++ Secure Coding Standard as : INT13-CPP. Use bitwise operators only on unsigned operands.

Bibliography

Wiki Markup
\[[Dowd 062006|AA. Bibliography#Dowd 06]\] Chapter 6, "C Language Issues"
\[[ISO/IEC 032003|AA. Bibliography#ISO/IEC 03]\] Section 6.5.7, "Bitwise shift operators"
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.5.7, "Bitwise shift operators"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "STR Bit Representations," "XYY Wrap-around Error," and "XZI Sign Extension Error"
\[[MITRE 072007|AA. Bibliography#MITRE 07]\] [CWE ID 682|http://cwe.mitre.org/data/definitions/682.html], "Incorrect Calculation"

...