SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 51

changes.mady.by.user Anirban Gangopadhyay

Saved on

compared with

New Version Current

changes.mady.by.user Richard W. Laughlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Removed references to Annex K.

...

Code Block
bgColor#ccccff
langc
char *improved_strncpy(char * restrict s1, size_t s1count, const char * restrict s2, size_t s2count, size_t n);
char *improved_strncat(char * restrict s1, size_t s1count, const char * restrict s2, size_t s2count, size_t n);

The n parameter is used to specify a number of elements to copy that is less than the total number of elements in the source string.

Compliant Solution (C11 Annex K)

The C Standard, Annex K (normative) Bounds-checking interfaces, defines bounds-checking versions of standard C library string-handling functions:

...

bgColor#ccccff
langc

...

There are two notable differences between the compliant solution and the secure versions from Annex K. First, the Annex K versions use rsize_t instead of size_t, which allows the size to be compared against the reasonable limit for a single object, RSIZE_MAX. Second, the Annex K versions do not require an element count for the second array. Consequently, these functions have limited ability to validate the input for s2. However, a size value for s1 is required, so memory outside of the range for s1 should not be overwritten.

Exceptions

API02-C-EX1: Functions that can guarantee via their runtime-constraint handlers that no out-of-bounds read or write occurs may omit the maximum-elements argument. For instance, the s2 parameter to strcat_s() needs no max parameter.

...

Failure to follow this recommendation can result in improper memory accesses and buffer overflows that are detrimental to the correct and continued execution of the program.

Rule

Severity

Likelihood

Detectable

Remediation CostRepairable

Priority

Level

API02-C

High

Likely

Yes

NoHigh

P9P18

L2L1

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
BADFUNC.BO.*

A collection of checks that report uses of library functions prone to internal buffer overflows.

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-API02-a
CERT_C-API02-b

Avoid using unsafe string functions which may cause buffer overflows
Don't use unsafe C functions that do write to range-unchecked buffers

Polyspace Bug Finder
Include Page
Polyspace Bug Finder_VPolyspace Bug Finder_V

Array access out of bounds

Array access with tainted index

Pointer access out of bounds

Use of dangerous standard function

Use of tainted pointer

Pointer dereference with tainted offset

Array index outside bounds during array access

Array index from unsecure source possibly outside array bounds

Pointer dereferenced outside its bounds

Dangerous functions cause possible buffer overflow in destination buffer

Pointer from an unsecure source may be NULL or point to unknown memory

Offset is from an unsecure source and dereference may be out of bounds

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

...

[ISO/IEC 9899:2011]Annex K (normative) Bounds-checking Interfaces


...