SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 113

changes.mady.by.user Swasti Shrivastava

Saved on

compared with

New Version Current

changes.mady.by.user Richard W. Laughlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Removed references to Annex K.

...

FunctionsRemediation
rand(), srand()MSC30-C. Do not use the rand() function for generating pseudorandom numbers
getenv(), getenv_s()ENV34-C. Do not store pointers returned by certain functions
strtok()strtok_s() in C11 Annex Kstrtok_r() in POSIX
strerror()strerror_s() in C11 Annex Kstrerror_r() in POSIX
asctime(), ctime(),
localtime(), gmtime()asctime_s(), ctime_s(), localtime_s(), gmtime_s() in C11 Annex K		strftime()
setlocale()Protect multithreaded access to locale-specific functions with a mutex
ATOMIC_VAR_INIT, atomic_init()Do not attempt to initialize an atomic variable from multiple threads
tmpnam()tmpnam_s() in C11 Annex K
tmpnam_r() in POSIX
mbrtoc16(), c16rtomb(),
mbrtoc32(), c32rtomb()		Do not call with a null mbstate_t * argument 

...

In this noncompliant code example, the function f() is called from within a multithreaded application but encounters an error while calling a system function. The strerror() function returns a human-readable error string given an error number.

The C Standard, 7.2426.6.2 3 paragraph 3 [ISO/IEC 9899:20112024], specifically states that strerror() is not required to avoid data races.

The strerror function is not required to avoid data races with other calls to the strerror function.

An implementation could write the error string into a static array and return a pointer to it, and that array might be accessible and modifiable by other threads.

...

This code first sets errno to 0 to comply with ERR30-C. Take care when reading errno

Compliant Solution (Annex K, strerror_s()

This compliant solution uses the strerror_s() function from Annex K of the C Standard, which has the same functionality as strerror() but guarantees thread-safety:

...

bgColor#ccccff
langc

...

errno

...

Because Annex K is optional, strerror_s() may not be available in all implementations

Compliant Solution (POSIX, strerror_r())

...

Race conditions caused by multiple threads invoking the same library function can lead to abnormal termination of the application, data integrity violations, or a denial-of-service attack.

Rule

Severity

Likelihood

Detectable

Remediation CostRepairable

Priority

Level

CON33-C

Medium

Probable

No

NoHigh

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported, but no explicit checker
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.RANDOM.RAND
BADFUNC.TEMP.TMPNAM
BADFUNC.TTYNAME

Use of rand (includes check for uses of srand())
Use of tmpnam (includes check for uses of tmpnam_r())
Use of ttyname

Compass/ROSE



A module written in Compass/ROSE can detect violations of this rule

Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

premium-cert-con33-c
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5037

C++5021

DF4976, DF4977


Klocwork
Include Page
Klocwork_V
Klocwork_V

CERT.CONC.LIB_FUNC_USE


LDRA tool suite
 
Include Page
LDRA_V
LDRA_V
44 SPartially Implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-CON33-a

Avoid using thread-unsafe functions

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

586

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule CON33-CChecks for data race through standard library function call (rule fully covered)

Related Guidelines

Key here (explains table format and definitions)

...

[IEEE Std 1003.1:2013]Section 2.9.1, "Thread Safety"
[ISO/IEC 9899:20112024]

Subclause 7.2426.6.23, "The strerror Function" 

[Open Group 1997b]Section 10.12, "Thread-Safe POSIX.1 and C-Language Functions"

...