Page History

The sizeof operator yields the size (in bytes) of its operand, which can be an expression or the parenthesized name of a type. However, using the sizeof operator to determine the size of arrays is error prone.

The sizeof operator is often used in determining how much memory to allocate via malloc(). However using an incorrect size is a violation of MEM35-C. Allocate sufficient memory for an object.

Noncompliant Code Example

...

Code Block

bgColor	#FFcccc
lang	c


void clear(int array[]) {
  for (size_t i = 0; i < sizeof(array) / sizeof(array[0]); ++i) {
     array[i] = 0;
   }
}

void dowork(void) {
  int dis[12];

  clear(dis);
  /* ... */
}

The footnote in Section Footnote 103 in subclause 6.5.3.4 of the C Standard [ISO/IEC 9899:1999] explains this2011] applies to all array parameters:

When applied to a parameter declared to have array or function type, the sizeof operator yields the size of the adjusted (pointer) type . . . .

...

.

Compliant Solution

In this compliant solution, the size of the array is determined inside the block in which it is declared and passed as an argument to the function.:

Code Block

bgColor	#ccccff
lang	c


void clear(int array[], size_t len) {
    for (size_t i = 0; i < len; i++) {
     array[i] = 0;
  }
}

void dowork(void) {
  int dis[12];

  clear(dis, sizeof(dis) / sizeof(dis[0]));
  /* ... */
}

...

In this noncompliant code example, the sizeof(a) does not equal 100 * sizeof(int). This is , because the sizeof operator, when applied to a parameter declared to have array or function typearray type, yields the size of the adjusted (pointer) type , even if the parameter declaration specifies a length.:

Code Block

bgColor	#FFcccc
lang	c


enum {ARR_LEN = 100};

void clear(int a[ARR_LEN]) {
  memset(a, 0, sizeof(a)); /* errorError */
}

int main(void) {
  int b[ARR_LEN];
  clear(b);
  assert(b[ARR_LEN / 2]==0); /* mayMay fail */
  return 0;
}

Compliant Solution

In this compliant solution, the size is specified using the expression len * sizeof(int).:

Code Block

bgColor	#ccccff
lang	c


enum {ARR_LEN = 100};

void clear(int a[], size_t len) {
  memset(a, 0, len * sizeof(int));
}

int main(void) {
  int b[ARR_LEN];
  clear(b, ARR_LEN);
  assert(b[ARR_LEN / 2]==0); /* cannotCannot fail */
  return 0;
}

Risk Assessment

Incorrectly using the sizeof operator to determine the size of an array can result in a buffer overflow, allowing the execution of arbitrary code.

Recommendation	Severity	Likelihood

Remediation Cost

Detectable	Repairable	Priority	Level
ARR01-C

high

High

Probable

probable

No

low

Yes

P18

P12

L1

Automated Detection

Tool	Version	Checker	Description

Section
Splint

Include PageSplint_VSplint_V

Astrée

Include Page

	Astrée_V
	Astrée_V

sizeof-array-parameter

Fully checked

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-ARR01

Fully implemented

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

LANG.TYPE.SAP

sizeof Array Parameter

section Sectioncan

Compass/ROSE

Can detect violations of the recommendation

,

but

it

cannot distinguish between incomplete array declarations and pointer declarations

section

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C1321

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

CWARN.MEMSET.SIZEOF.PTR

Fully implemented

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

Section
401 S

Section Partially Implemented

401 S

Fully implemented

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-ARR01-a

Do not call 'sizeof' on a pointer type

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

682, 882

Fully supported

Polyspace Bug Finder

Include Page

	Polyspace Bug Finder_V
	Polyspace Bug Finder_V

CERT C: Rec. ARR01-C

Checks for:

Wrong type used in sizeof
Possible misuse of sizeof

Rec, fully covered.

Splint

Include Page

	Splint_V
	Splint_V

PVS-Studio

Include Page

	PVS-Studio_V
	PVS-Studio_V

V511, V512, V514, V568, V579, V604, V697, V1086

RuleChecker

Include Page

	RuleChecker_V
	RuleChecker_V

sizeof-array-parameter

Fully checked

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy	Taxonomy item	Relationship
CERT C

...

CTR01

...

-CPP. Do not apply the sizeof operator to a pointer when taking the size of an array

ISO/IEC 9899:1999 Section 6.7.5.2, "Array declarators"

...

Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11	CWE-467, Use of sizeof() on

...

a pointer type	Prior to 2018-01-12: CERT:
ISO/IEC TS 17961	Taking the size of a pointer to determine the size of the pointed-to type [sizeofptr]	Prior to 2018-01-12: CERT: Unspecified Relationship
MITRE CWE	CWE-569	Prior to 2018-01-12:
MITRE CWE	CWE-783	Prior to 2018-01-12:

Bibliography

[Drepper 2006]	Section 2.1.1, "Respecting Memory Bounds"
[ISO/IEC 9899:2011]	Subclause 6.5.3.4, "The `sizeof` and `_Alignof` Operators"

...

Image Added Image Added Image Added Image Removed 06. Arrays (ARR) ARR02-C. Explicitly specify array bounds, even if implicitly defined by an initializer

Space shortcuts

Page tree

Versions Compared

Old Version 67

New Version Current

Key

Noncompliant Code Example

Compliant Solution

Compliant Solution

Risk Assessment

Automated Detection

Related Vulnerabilities

Related Guidelines

Bibliography