SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 40

changes.mady.by.user Ed Desautels

Saved on

compared with

New Version Current

changes.mady.by.user Francesco Mariani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Type alignment requirements can also affect the size of structures. For example, the size of the following structure is implementation-defined:

Code Block

struct s {
   int i;
   double d;
};

Assuming 32-bit integers and 64-bit doubles, for example, the size can range from 12 or 12 to 16 bytes, depending on alignment rules.

...

Noncompliant Code Example

This non-compliant noncompliant code example attempts to declare a two-dimensional array of integers with variable length rows. On a platform with 64-bit integers, the loop will access memory outside the allocated memory section.

Code Block
bgColor#FFcccc
langc
int f(void) { 
/* assumingAssuming 32-bit pointer, 32-bit integer */
  size_t i;
  int **matrix = (int **)calloc(100, 4);
  if (matrix == NULL) {
    return -1; /* handle errorIndicate calloc() failure */
  }

  for (i = 0; i < 100; i++) {
    matrix[i] = (int *)calloc(i, 4);
    if (matrix[i] == NULL) {
      return -1; /* handle errorIndicate calloc() failure */
    }
  }
 return 0;
}

Compliant Solution

This compliant solution replaces the hard-coded value 4 with sizeof(int *).:

Code Block
bgColor#ccccff
langc
int f(void) {
  size_t i;
  int **matrix = (int **)calloc(100, sizeof(int *matrix));
  if (matrix == NULL) {
    return -1; /* handle errorIndicate calloc() failure */
  }

  for (i = 0; i < 100; i++) {
    matrix[i] = (int *)calloc(i, sizeof(int**matrix));
    if (matrix[i] == NULL) {
      return -1; /* handle errorIndicate calloc() failure */
    }
  }

  return 0;
}

Also see MEM02-AC. Immediately cast the result of a memory allocation function call into a pointer to the allocated type for a discussion on the use of the sizeof operator with memory allocation functions.

Exceptions

EXP09-C-EX1: The C Standard explicitly declares sizeof(char) == 1, so any sizes based on characters or character arrays may be evaluated without using sizeof. This does not apply to char* or any other data types.

Risk Assessment

If non-compliant code is ported to a different platform, it could introduce a buffer or stack overflow Porting code with hard-coded sizes can result in a buffer overflow or related vulnerability.

Recommendation

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

EXP09-

A

C

High

high

Unlikely

unlikely

No

medium

Yes

P6

L2

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
alloc-without-sizeof
Partially checked
Compass/ROSE

...



Can detect violations of this recommendation. In particular, it looks for the size argument of malloc(), calloc(), or realloc()

...

and flags when it does not find a sizeof operator in the argument expression. It does not flag if the return value is assigned to a char *

...

; in this case a string is being allocated, and sizeof is unnecessary

...

because sizeof(char) == 1

ECLAIR
Include Page
ECLAIR_V
ECLAIR_V
CC2.EXP09Can detect violations of this recommendation. In particular, it considers when the size of a type is used by malloc(), calloc() or realloc() and flags these functions if either the size argument does not use a sizeof operator, or the size argument uses sizeof, but the type of the returned value is not a pointer to the type of the argument to sizeof. It does not flag if the returned value is assigned to a char *
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0701
LDRA tool suite
Include Page
LDRA_V
LDRA_V

201 S

Partially implemented

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. EXP09-CChecks for hard-coded object size used to manipulate memory (rec. fully covered)
RuleChecker

Include Page
RuleChecker_V
RuleChecker_V

alloc-without-sizeofPartially checked
Security Reviewer - Static Reviewer

Include Page
Security Reviewer - Static Reviewer_V
Security Reviewer - Static Reviewer_V

C38
C39
C40
C42
C44
C45
C46
C46
Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.2.6, "Representations of types," and Section 6.5.3.4, "The sizeof operator"

Related Guidelines

SEI CERT C++ Coding StandardVOID EXP09-CPP. Use sizeof to determine the size of a type or variable
MITRE CWECWE-805, Buffer access with incorrect length value


...

Image Added Image Added Image AddedEXP08-A. Ensure pointer arithmetic is used correctly      03. Expressions (EXP)       EXP10-A. Do not depend on the order of evaluation of subexpressions or the order in which side effects take place