SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 160

changes.mady.by.user Dario Necco

Saved on

compared with

New Version Current

changes.mady.by.user Francesco Mariani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Annex J of the C Standard [ISO/IEC 9899:20112024] states that it is undefined behavior if the "pointer passed to a library function array parameter does not have a value such that all address computations and object accesses are valid." (See undefined behavior 109108.)

In the following code,

Code Block
int arr[5];
int *p = arr;

unsigned char *p2 = (unsigned char *)arr;
unsigned char *p3 = arr + 2;
void *p4 = arr;

...

fgets()fgetws()mbstowcs()1 wcstombs()1
mbrtoc16()2 mbrtoc32()2mbsrtowcs()1wcsrtombs()1
mbtowc()2 mbrtowc()1 2mblen()mbrlen()
memchr()wmemchr()memset()wmemset()
strftime()wcsftime()strxfrm()1wcsxfrm()1
strncat()2 wcsncat()2snprintf()vsnprintf()
swprintf()vswprintf()setvbuf()tmpnam_s()
snprintf_s()sprintf_s() vsnprintf_s()vsprintf_s()
gets_s() getenv_s()wctomb_s()mbstowcs_s()3
wcstombs_s()3memcpy_s()3memmove_s()3strncpy_s()3
strncat_s()3strtok_s()2strerror_s()strnlen_s()
asctime_s()ctime_s()snwprintf_s()swprintf_s()
vsnwprintf_s()vswprintf_s()wcsncpy_s()3wmemcpy_s()3
wmemmove_s()3wcsncat_s()3wcstok_s()2wcsnlen_s()
wcrtomb_s()mbsrtowcs_s()3wcsrtombs_s()3memset_s()4

...

Depending on the library function called, an attacker may be able to use a heap or stack overflow vulnerability to run arbitrary code.

Rule

Severity

Likelihood

Detectable

RepairableRemediation Cost

Priority

Level

ARR38-C

High

Likely

No

NoMedium

P18P9

L1L2

Automated Detection


BADFUNC.BO.*A collection of warning classes that report uses of library functions prone to internal buffer overflowsPolyspace Bug FinderPolyspace Bug FinderCERT CFully implemented

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
array_out_of_bounds

Supported

Astrée reports all out-of-bound accesses within library analysis stubs. The user may provide additional stubs for arbitrary (library) functions.

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.MEM.BO
LANG.MEM.BU

Buffer overrun
Buffer underrun

Compass/ROSE




Coverity
Include Page
Coverity_V
Coverity_V

BUFFER_SIZE

BAD_SIZEOF

BAD_ALLOC_STRLEN

BAD_ALLOC_ARITHMETIC

Implemented
Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

premium-cert-arr38-c

Fortify SCA

5.0


Can detect violations of this rule with CERT C Rule PackKlocwork

Helix QAC

Include Page

Klocwork

Helix QAC_V

Klocwork

Helix QAC_V

C2840

DF2840, DF2841, DF2842, DF2843, DF2845, DF2846, DF2847, DF2848, DF2935, DF2936, DF2937, DF2938, DF4880, DF4881, DF4882, DF4883


Klocwork

Include Page
Klocwork_V
Klocwork_V

ABV.GENERAL
ABV.GENERAL.MULTIDIMENSIONABV.ANY_SIZE_ARRAY
ABV.GENERAL
ABV.ITERATOR
ABV.STACK
ABV.TAINTED
ABV.UNKNOWN_SIZE


LDRA tool suite
Include Page
LDRA_V
LDRA_V
64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X
Partially Implmented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-ARR38-a
CERT_C-ARR38-b
CERT_C-ARR38-c
CERT_C-ARR38-d

Avoid overflow when reading from a buffer
Avoid overflow when writing to a buffer
Avoid buffer overflow due to defining incorrect format limits
Avoid overflow due to reading a not zero terminated string

Parasoft Insure++

Runtime analysis
PC-lint Plus

Include Page

PC-lint Plus_V

Polyspace Bug Finder_V

PC-lint Plus_V

419, 420

Partially supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C

: Rule ARR38-C

Checks for:

  • Mismatch between data length and size
  • Invalid use of standard library memory routine
  • Possible misuse of sizeof
  • Buffer overflow from incorrect string format specifier
  • Invalid use of standard library string routine
  • Destination buffer overflow in string manipulation
  • Destination buffer underflow in string manipulation

Rule partially covered.

PRQA QA-C
Include Page
PRQA QA-C_vPRQA QA-C_v

2840, 2841, 2842, 2843, 2845, 2846,

2847, 2848, 2935, 2936, 2937, 2938

Fully implementedPRQA QA-C++
Include Page
cplusplus:PRQA QA-C++_Vcplusplus:PRQA QA-C++_V
Security Reviewer - Static Reviewer

6.02

C109

Fully Implemented

2840, 2841, 2842, 2843, 2844,

2935, 2936, 2937, 2938, 2939

Splint

Include Page
Splint_V
Splint_V



TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

out of bounds readPartially verified.

Related Vulnerabilities

CVE-2016-2208 results from a violation of this rule. The attacker can supply a value used to determine how much data is copied into a buffer via memcpy(), resulting in a buffer overlow of attacker-controlled data.

...

Taxonomy

Taxonomy item

Relationship

C Secure Coding StandardAPI00-C. Functions should validate their parametersPrior to 2018-01-12: CERT: Unspecified Relationship
C Secure Coding StandardARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an arrayPrior to 2018-01-12: CERT: Unspecified Relationship
C Secure Coding StandardINT30-C. Ensure that unsigned integer operations do not wrapPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961:2013Forming invalid pointers by library functions [libptr]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Buffer Boundary Violation (Buffer Overflow) [HCB]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Unchecked Array Copying [XYW]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer2017-05-18: CERT: Rule subset of CWE
CWE 2.11CWE-121, Stack-based Buffer Overflow2017-05-18: CERT: Partial overlap
CWE 2.11CWE-123, Write-what-where Condition2017-05-18: CERT: Partial overlap
CWE 2.11CWE-125, Out-of-bounds Read2017-05-18: CERT: Partial overlap
CWE 2.11CWE-805, Buffer Access with Incorrect Length Value2017-05-18: CERT: Partial overlap
CWE 3.1CWE-129, Improper Validation of Array Index

2017-10-30:MITRE:Unspecified Relationship

2018-10-18:CERT:Partial Overlap

CERT-CWE Mapping Notes

Key here for mapping notes

...

  • Arbitrary writes that do not involve standard C library functions

CWE-129 and ARR38-C

ARR38-C -CWE-129 = making library functions create invalid pointers without using untrusted data.

...