SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 15

changes.mady.by.user Hal Burch

Saved on

compared with

New Version Current

changes.mady.by.user Francesco Mariani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not hard - code the size of a type into an application. Because of alignment, padding, and differences in basic types (e.g., 32-bit versus 64-bit pointers), the size of most types can vary between compilers and even version versions of the same compiler. Using the sizeof operator to determine sizes improves the clarity of what is meant and ensures that changes between compilers or version versions will not affect the code.

Type alignment requirements can also affect the size of structs. Consider structures. For example, the size of the following structure is implementation-defined:

Code Block

struct s {
   int i;
   double d;
};

Depending on the compiler and platform, this structure could be any of a variety of sizes. Assuming 32-bit integers and 64-bit doubles, for example, the size might be 12 or can range from 12 to 16 bytes, depending on alignment rules.

...

Noncompliant Code Example

This non-compliant example demonstrates the incorrect way noncompliant code example attempts to declare a triangular two-dimensional array of integers with variable length rows. On a platform with 64-bit integers, the loop will access memory outside the allocated memory section.

Code Block
bgColor#FFcccc
langc
int f(void) { 
/* assumingAssuming 32-bit pointer, 32-bit integer */
  size_t i;
  int **matrix triarray= =(int **)calloc(100, 4);
  if (triarraymatrix == NULL) {
    return -1; /* Indicate handlecalloc() errorfailure */
  }

  for (i = 0; i < 100; i++) {
   triarray matrix[i] = (int *)calloc(i, 4);
    if (triarraymatrix[i] == NULL) {
      return -1; /* Indicate handlecalloc() errorfailure */
    }
  }
 return 0;
}

Compliant Solution

The above example can be fixed by replacing This compliant solution replaces the hard-coded value 4 with the size of the type using sizeof. sizeof(int *):

Code Block
bgColor#ccccff
langc
int f(void) {
  size_t i;
  int **triarraymatrix = (int **)calloc(100, sizeof(int *matrix));

  if (!triarraymatrix == NULL) {
    return -1; /* Indicate handlecalloc() errorfailure */
 
 }

  for (i = 0; i < 100; i++) {
    triarraymatrix[i] = (int *)calloc(i, sizeof(int**matrix));
    if (!triarraymatrix[i] == NULL) {
      return -1; /* Indicate handlecalloc() errorfailure */
    }
  }

  return 0;
}

Risk Assessment

If non-compliant code is ported to a different platform, it could introduce a buffer or stack overflow vulnerability.

Also see MEM02-C. Immediately cast the result of a memory allocation function call into a pointer to the allocated type for a discussion on the use of the sizeof operator with memory allocation functions.

Exceptions

EXP09-C-EX1: The C Standard explicitly declares sizeof(char) == 1, so any sizes based on characters or character arrays may be evaluated without using sizeof. This does not apply to char* or any other data types.

Risk Assessment

Porting code with hard-coded sizes can result in a buffer overflow or related vulnerability.

Recommendation

Severity

Likelihood

Detectable

Repairable

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXPxx

EXP09-

A

3 (high)

1 (unlikely)

2 (medium)

C

High

Unlikely

No

Yes

P6

L2

References

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
alloc-without-sizeof
Partially checked
Compass/ROSE



Can detect violations of this recommendation. In particular, it looks for the size argument of malloc(), calloc(), or realloc() and flags when it does not find a sizeof operator in the argument expression. It does not flag if the return value is assigned to a char *; in this case a string is being allocated, and sizeof is unnecessary because sizeof(char) == 1

ECLAIR
Include Page
ECLAIR_V
ECLAIR_V
CC2.EXP09Can detect violations of this recommendation. In particular, it considers when the size of a type is used by malloc(), calloc() or realloc() and flags these functions if either the size argument does not use a sizeof operator, or the size argument uses sizeof, but the type of the returned value is not a pointer to the type of the argument to sizeof. It does not flag if the returned value is assigned to a char *
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0701
LDRA tool suite
Include Page
LDRA_V
LDRA_V

201 S

Partially implemented

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. EXP09-CChecks for hard-coded object size used to manipulate memory (rec. fully covered)
RuleChecker

Include Page
RuleChecker_V
RuleChecker_V

alloc-without-sizeofPartially checked
Security Reviewer - Static Reviewer

Include Page
Security Reviewer - Static Reviewer_V
Security Reviewer - Static Reviewer_V

C38
C39
C40
C42
C44
C45
C46
C46
Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID EXP09-CPP. Use sizeof to determine the size of a type or variable
MITRE CWECWE-805, Buffer access with incorrect length value


...

Image Added Image Added Image Added Wiki Markup\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.2.6, "Representations of types," and Section 6.5.3.4, "The sizeof operator"