SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 50

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 51

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Because not all C compilers are strictly C99 conforming, you cannot rely on the behavior of the % operator if you need to run on a wide range of platforms with many different compilers.

According to C99:

The result of the / operator is the quotient from the division of the first operand by the second; the result of the % operator is the remainder. In both operations, if the value of the second operand is zero, the behavior is undefined.

and:

When integers are divided, the result of the / operator is the algebraic quotient with any fractional part discarded. If the quotient a/b is representable, the expression (a/b)*b + a%b shall equal a.

...

In this noncompliant example, the insert() function adds values to a buffer in a modulo fashion, that is, by inserting values at the beginning of the buffer once the end is reached. However, both size and index are declared as int and, consequently, not guaranteed to be positive. Depending on the implementation and on the sign of size and index, the result of (index + 1) % size may be negative, resulting in a write outside the bounds of the list array.

Code Block
bgColor#FFCCCC
int insert(int index, int *list, int size, int value) {
  if (size != 0) {
    index = (index + 1) % size;
    list[index] = value;
    return index;
  }
  else {
    return -1;
  }
}

This code also violates guideline ERR02-C. Avoid in-band error indicators.

...

However, this noncompliant code example violates guideline INT01-C. Use rsize_t or size_t for all integer values representing the size of an object. There is also a possibility that (index + 1) could result in a signed integer overflow in violation of guideline INT32-C. Ensure that operations on signed integers do not result in overflow.

Compliant Solution (

...

Unsigned Types)

The most appropriate solution in this case is to use unsigned types to eliminate any possible implementation defined behavior, as in this compliant solution. For compliance with guideline ERR02-C, we fill a 'result' argument with the mathematical result, and we return nonzero only if the operation succeeds.

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT10-C

low

unlikely

high

P1

L3

Automated Detection

Tool

Version

Checker

Description

Section

Fortify SCA

...

Section

V. 5.0

 

Section

can detect violations of this recommendation with the CERT C Rule Pack

...

Section

Compass/ROSE

 

 

Section

could detect the specific NCCE. It could identify when the result of a % operation might be negative, and flag usage of that result in an array index. It could, conceivably flag usage of any such result without first checking that the result is positive, but this will most likely introduce many false positives

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

This rule appears in the C++ Secure Coding Standard as : INT10-CPP. Do not assume a positive remainder when using the % operator.

References

Wiki Markup
\[[Beebe 052005|AA. Bibliography#Beebe 05]\]
\[[ISO/IEC 9899-1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.5.5, "Multiplicative operators"
\[[Microsoft 072007|AA. Bibliography#Microsoft 07]\] [C Multiplicative Operators|http://msdn2.microsoft.com/en-us/library/efa0csed(VS.80).aspx]
\[[MITRE 072007|AA. Bibliography#MITRE 07]\] [CWE ID 682|http://cwe.mitre.org/data/definitions/682.html], "Incorrect Calculation," and [CWE ID 129|http://cwe.mitre.org/data/definitions/129.html], "Unchecked Array Indexing"
\[[Sun 052005|AA. Bibliography#Sun 05]\] [Appendix E, "Implementation-Defined ISO/IEC C90 Behavior"|http://docs.sun.com/source/819-3688/c90.implementation.app.html]

...