SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 17

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

If one definition affects another, a relation exists between constants, you should encode the relationship in the definition; do definitions. Do not give two independent definitions. A corollary of this recommendation is not to encode transitory relationships in definitions.

...

, because a maintainer may fail to preserve that relationship when modifying the code. As a corollary, do not encode an impermanent or false relationship between constants, because future modifications may result in an incorrect definition for the dependent constant.

Noncompliant Code Example

In this non-compliant noncompliant code example, the definition for OUT_STR_LEN must always be two greater than the definition of IN_STR_LEN. The following definitions fail to embody this relationship:

Code Block
bgColor#FFcccc
langc

enum { IN_STR_LEN=18, OUT_STR_LEN=20 };

Consequently, a A programmer performing maintenance on this program would need to identify the relationship and modify both definitions accordingly. While Although this sort of error appears relatively benign, it could can easily lead to serious security vulnerabilities, such as buffer overflows.

Compliant Solution

The declaration in this compliant solution embodies the relationship between the two definitions.:

Code Block
bgColor#ccccff
langc

enum { IN_STR_LEN=18, OUT_STR_LEN=IN_STR_LEN+2 };

As a result, a programmer can reliably modify the program by changing the definition of IN_STR_LEN.

...

Noncompliant Code Example

In this non-compliant noncompliant code example, a relationship is established between two constants where none exists.:

Code Block
bgColor#FFcccc
langc

enum { ADULT_AGE=18 };

/* Misleading; relationship established when none exists */
enum { ALCOHOL_AGE=ADULT_AGE+3 }; /* misleading, relationship established when none exists */

A Consequently, a programmer performing maintenance on this program may modify the definition for ADULT_AGE but fail to recognize that the definition for ALCOHOL_AGE has also been changed as a consequence.

Compliant Solution

This compliant solution does not assume a relationship when where none exists:

Code Block
bgColor#ccccff
langc

enum { ADULT_AGE=18 };
enum { ALCOHOL_AGE=21 };

Risk Assessment

Failing to properly encode relationships in constant definitions may lead to the introduction of defects during maintenance. These defects could potentially result in vulnerabilities, for example, if the affected constants were used for allocating or accessing memory.

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

DCL08-

A

1 (low)

1 (unlikely)

1 (high)

C

Low

Unlikely

No

No

P1

L3

Automated Detection

Tool

Version

Checker

Description

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.10, "Preprocessing directives," and Section 5.1.1, "Translation environment"
\[[Plum 85|AA. C References#Plum 85]\] Rule 1-4

Related Guidelines

SEI CERT C++ Coding StandardVOID DCL08-CPP. Properly encode relationships in constant definitions
[Plum 1985]Rule 1-4


...

Image Added Image Added Image AddedDCL07-A. Include the appropriate type information in function declarators      02. Declarations and Initialization (DCL)       DCL09-A. Declare functions that return an errno error code with a return type of errno_t