Page History

If a header file with the same name as one of the a standard headers header is placed in the typical search path to search for libraries then for included source files, the behavior is undefined.

Non-Compliant Example

Naming a header file any of the following could cause problems:

...

The following table from the C Standard, subclause 7.1.2 [ISO/IEC 9899:2011], lists these standard headers:

`<assert.h>`	`<float.h>`	`<math.h>`	`<stdatomic.h>`	`<stdlib.h>`	`<time.h>`
`<complex.h>`	`<inttypes.h>`	`<setjmp.h>`	`<stdbool.h>`	`<stdnoreturn.h>`	`<uchar.h>`
`<ctype.h>`	`<iso646.h>`	`<signal.h>`

...

`<stddef.h>`	`<string.h>`	`<wchar.h>`
`<errno.h>`

...

<limits.h>

...

<stdalign.h> <stdint.h> <tgmath.h>

...

<wctype.h>

...

<fenv.h>

...

<locale.h>

...

<stdarg.h>

...

<stdio.h>

...

<threads.h>

...

Do not reuse standard header file names, system-specific header file names, or other header file names.

Noncompliant Code Example

In this noncompliant code example, the programmer chooses to use a local version of the standard library but does not make the change clear:

Code Block

bgColor	#FFcccc
lang	c

#include "stdio.h"  /* Confusing, distinct from <stdio.h> */

/* ... */

Compliant Solution

The solution addresses the problem by giving the local library a unique name (per PRE08-C. Guarantee that header file names are unique), which makes it apparent that the library used is not the original:

Code Block

bgColor	#ccccFF
lang	c

/* Using a local version of stdio.h */ 
#include "mystdio.h"

/* ... */

Risk Assessment

Using header file names that conflict with other header file names can result in an incorrect file being included.

Recommendation	Severity	Likelihood	Detectable	Repairable	Priority	Level
PRE04-C	Low	Unlikely	Yes	No	P2	L3

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-PRE04

Cppcheck Premium

Include Page

	Cppcheck Premium_V
	Cppcheck Premium_V

premium-cert-pre04-c

ECLAIR

Include Page

	ECLAIR_V
	ECLAIR_V

CC2.PRE04

Fully implemented

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C5001

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

568 S

Fully implemented

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rec. PRE04-C

Checks for reuse of standard header file (rec. fully covered)

Security Reviewer - Static Reviewer

Include Page

	Security Reviewer - Static Reviewer_V
	Security Reviewer - Static Reviewer_V

RTOS_22

Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding Standard	VOID PRE04-CPP. Do not reuse a standard header file name
CERT Oracle Secure Coding Standard for Java	DCL01-J. Do not reuse public identifiers from the Java Standard Library

Bibliography

[ISO/IEC 9899:2011]

Subclause 7.1.2, "Standard Headers"

...

Image Added Image Added Image Added

Risk Assessment

It is possible that an attacker could place a duplicate header file in the library path in order to cause exploit behavior.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
	2 (medium)	1 (unlikely)	3 (low)	P2	L2

References

Wiki Markup\[ISO/IEC 9899\] 7.1.2 Standard Headers

Space shortcuts

Page tree

Versions Compared

Old Version 1

New Version Current

Key

Non-Compliant Example

Noncompliant Code Example

Compliant Solution

Risk Assessment

Automated Detection

Related Vulnerabilities

Related Guidelines

Bibliography

Risk Assessment

References