SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 50

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 72

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

Always check that malloc() returns a non-null pointer, as per void MEM32ERR33-C. Detect and handle memory allocation standard library errors.

It is important to retain any pointer value returned by malloc() so that the referenced memory may eventually be deallocated. One possible way to preserve such a value is to use a constant pointer:

...

Arrays are a common source of vulnerabilities in C language programs because they are frequently used but not always fully understood.

Recommendation

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

ARR00-C

High

Probable

High

No

No

P6

L2

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.CAST.ARRAY.TEMP

Array to Pointer Conversion on Temporary Object
Klocwork
Include Page
Klocwork_V
Klocwork_V
ABV.ANY_SIZE_ARRAY
ABV.GENERAL
ABV.GENERAL.MULTIDIMENSION
ABV.ITERATOR
ABV.MEMBER
ABV.STACK
ABV.TAINTED
ABV.UNICODE.BOUND_MAP
ABV.UNICODE.FAILED_MAP
ABV.UNICODE.NNTS_MAP
ABV.UNICODE.SELF_MAP
ABV.UNKNOWN_SIZE
NNTS.MIGHT
NNTS.MUST
NNTS.TAINTED
SV.STRBO.BOUND_COPY.OVERFLOW
SV.STRBO.BOUND_COPY.UNTERM
SV.STRBO.BOUND_SPRINTF
SV.STRBO.UNBOUND_COPY
SV.STRBO.UNBOUND_SPRINTF
SV.TAINTED.ALLOC_SIZE
SV.TAINTED.CALL.INDEX_ACCESS
SV.TAINTED.CALL.LOOP_BOUND
SV.TAINTED.INDEX_ACCESS
SV.TAINTED.LOOP_BOUND
SV.UNBOUND_STRING_INPUT.CIN
SV.UNBOUND_STRING_INPUT.FUNC
LDRA tool suite
Include Page
LDRA_V
LDRA_V

401 S

Partially implemented

45 D, 47 S, 489 S, 567 S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X

Partially implemented

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

409, 413, 429, 613

Partially supported: conceptually includes all other ARR items which are mapped to their respective guidelines; explicit mappings for ARR00 are present when a situation mentioned in the guideline itself is encountered

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C
++ Coding Standard
CTR00-CPP. Understand when to prefer vectors over arrays
MITRE CWE
Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-119,
Failure to constrain operations within the bounds of an allocated memory buffer
Improper Restriction of Operations within the Bounds of a Memory BufferPrior to 2018-01-12: CERT:
CWE 2.11CWE-123, Write-what-where ConditionPrior to 2018-01-12: CERT:
CWE 2.11CWE-125, Out-of-bounds ReadPrior to 2018-01-12: CERT:
CWE 2.11CWE-129, Unchecked array indexing

...

Prior to 2018-01-12: CERT:


...

Image Modified Image Modified Image Modified