SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 124

changes.mady.by.user Svyatoslav Razmyslov

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

Noncompliant Code Example (NULL)

Because the The C Standard allows Standard allows NULL to be either an integer constant or a pointer constant, any architecture in which int is not the same size as a pointer might present a particular vulnerability with variadic functions. If NULL is defined as an int on such a platform, then . While passing NULL as an argument to a function with a fixed number of arguments will cause NULL to be cast to the appropriate pointer type, when it is passed as a variadic argument, this will not happen if sizeof(NULL) != sizeof(void *), so variadic functions that accept an argument of pointer type will not correctly promote NULL to the correct size. ConsequentlyThis is possible for several reasons:

  • Pointers and ints may have different sizes on a platform where NULL is an integer constant
  • The platform may have different pointer types with different sizes on a platform. In that case, if NULL is a void pointer, it is the same size as a pointer to char (C11 section 6.2.5, paragraph 28), which might be sized differently than the required pointer type.

On either such platform, the following code will have have undefined behavior:

Code Block
bgColor#ffcccc
langc
char* string = NULL;
printf("%s %d\n", string, 1);

...

Recommendation

Severity

Likelihood

Detectable

RepairableRemediation Cost

Priority

Level

DCL11-C

High

Probable

Yes

NoHigh

P6P12

L2L1

Automated Detection

Insure++

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-DCL11
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.STRUCT.ELLIPSIS

 

Ellipsis

Compass/ROSE



Does not currently detect violations of this recommendation. Although the recommendation in general cannot be automated, because of the difficulty in enforcing contracts between a variadic function and its invokers, it would be fairly easy to enforce type correctness on arguments to the printf() family of functions

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.DCL11

Partially implemented

GCC
Include Page
GCC_V
GCC_V


Warns about inconsistently typed arguments to formatted output functions when the -Wall is used

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0179, C0184, C0185, C0186, C0190, C0191, C0192, C0193, C0194, C0195, C0196, C0197, C0198, C0199, C0200, C0201, C0206, C0207, C0208


Klocwork
Include Page
Klocwork_V
Klocwork_V
MISRA.FUNC.VARARG
SV.FMT_STR.PRINT_FORMAT_MISMATCH.BAD
SV.FMT_STR.PRINT_FORMAT_MISMATCH.UNDESIRED
SV.FMT_STR.SCAN_FORMAT_MISMATCH.BAD
SV.FMT_STR.SCAN_FORMAT_MISMATCH.UNDESIRED
SV.FMT_STR.PRINT_IMPROP_LENGTH
SV.FMT_STR.PRINT_PARAMS_WRONGNUM.FEW
SV.FMT_STR.PRINT_PARAMS_WRONGNUM.MANY
SV.FMT_STR.UNKWN_FORMAT.SCAN
LDRA tool suite
Include Page
LDRA_V
LDRA_V

41 S, 589 S

Partially implemented

Parasoft Runtime
Polyspace Bug FinderR2016aFormat string specifiers and arguments mismatch

String specifiers do not match corresponding arguments

C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-DCL11-a
CERT_C-DCL11-b
CERT_C-DCL11-c
CERT_C-DCL11-d
CERT_C-DCL11-e
CERT_C-DCL11-f


There should be no mismatch between the '%s' and '%c' format specifiers in the format string and their corresponding arguments in the invocation of a string formatting function
There should be no mismatch between the '%f' format specifier in the format string and its corresponding argument in the invocation of a string formatting function
There should be no mismatch between the '%i' and '%d' format specifiers in the string and their corresponding arguments in the invocation of a string formatting function
There should be no mismatch between the '%u' format specifier in the format string and its corresponding argument in the invocation of a string formatting function
There should be no mismatch between the '%p' format specifier in the format string and its corresponding argument in the invocation of a string formatting function
The number of format specifiers in the format string and the number of corresponding arguments in the invocation of a string formatting function should be equal

Parasoft Insure++

Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

175, 559, 2408

Assistance provided: reports issues involving format strings

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. DCL11-C


Checks for format string specifiers and arguments mismatch (rec. partially covered)

PRQA QA-C
Include Page
PRQA QA-C_vPRQA QA-C_v

0179 (U)
0184 (U)
0185 (U)
0186 (U)
0190 (U)
0191 (U)
0192 (U)
0193 (U)
0194 (U)
0195 (U)
0196 (U)
0197 (U)
0198 (U)
0199 (U)
0200 (U)
0201 (U)
0206 (U)
0207
0208

Partially implemented

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V576

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this recommendation on the CERT website.

...