Page History

If a file with the same name as a standard file name header is placed in the search path for included source files, the behavior is undefined.

The following table from the C Standard, subclause 7.1.2 [ISO/IEC 9899:2011], lists these standard headers are:

<assert.h>

<complex

<float.h> <math.h>

<ctype

<stdatomic.h>

<errno

<stdlib.h>

<fenv

<time.h>

<float

<complex.h> <inttypes.h> <setjmp.h>

<iso646

<stdbool.h>

<limits

<stdnoreturn.h>

<locale

<uchar.h>

<math

<ctype.h>

<setjmp

<iso646.h> <signal.h>

<stdarg

`<stddef.h>`	`<string.h>`	`<wchar.h>`
`<errno.h>`

<stdbool

<limits.h>

<stddef

<stdalign.h> <stdint.h>

<stdio

<tgmath.h> <wctype.h>

<stdlib

<fenv.h>

<string

<locale.h>

<tgmath

<stdarg.h>

<time

<stdio.h>

<wchar

<threads.h>

<wctype.h>

Risk Assessment

Do not reuse standard header file names, system-specific header file names, or other header file names.

Noncompliant Code Example

In this noncompliant code example, the programmer chooses to use a local version of the standard library but does not make the change clear:

Code Block

bgColor	#FFcccc
lang	c

#include "stdio.h"  /* Confusing, distinct from <stdio.h> */

/* ... */

Compliant Solution

The solution addresses the problem by giving the local library a unique name (per PRE08-C. Guarantee that header file names are unique), which makes it apparent that the library used is not the original:

Code Block

bgColor	#ccccFF
lang	c

/* Using a local version of stdio.h */ 
#include "mystdio.h"

/* ... */

Risk Assessment

Using header file names that conflict with other header file names can result in an incorrect file being included.

Recommendation

Rule

	Severity	Likelihood

Remediation Cost

Detectable	Repairable	Priority	Level
PRE04-C	Low	Unlikely	Yes	No	P2	L3

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-PRE04

Cppcheck Premium

Include Page

	Cppcheck Premium_V
	Cppcheck Premium_V

premium-cert-pre04-c

ECLAIR

Include Page

	ECLAIR_V
	ECLAIR_V

CC2.PRE04

PRE04-A

1 (low)

1 (unlikely)

3(low)

P3

L3

References

...

Fully implemented

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C5001

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

568 S

Fully implemented

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rec. PRE04-C

Checks for reuse of standard header file (rec. fully covered)

Security Reviewer - Static Reviewer

Include Page

	Security Reviewer - Static Reviewer_V
	Security Reviewer - Static Reviewer_V

RTOS_22

Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding Standard	VOID PRE04-CPP. Do not reuse a standard header file name
CERT Oracle Secure Coding Standard for Java	DCL01-J. Do not reuse public identifiers from the Java Standard Library

Bibliography

[ISO/IEC 9899:2011]

Subclause

...

7.1.2,

...

"Standard

...

Headers"

...

Image Added Image Added Image Added

Space shortcuts

Page tree

Versions Compared

Old Version 4

New Version Current

Key

Risk Assessment

Noncompliant Code Example

Compliant Solution

Risk Assessment

Automated Detection

References

Related Vulnerabilities

Related Guidelines

Bibliography