SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 84

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

The read methods (readByte(), readShort(), readInt(), readLong(), readFloat(), and readDouble()) and the corresponding write methods defined by class java.io.DataInputStream and class java.io.DataOutputStream operate only on big-endian data. Use of these methods while interoperating with traditional languages, such as C or and C++, is insecure because such languages lack any guarantees about endianness. This noncompliant code example shows such a discrepancy:

...

Reading and writing data without considering endianness can lead to misinterpretations of both the magnitude and sign of the data.

Rule

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

FIO12-J

Low

Unlikely

Low

No

No

P3

P1

L3

Automated Detection

Automated detection is infeasible in the general case.

ToolVersionCheckerDescription
Parasoft Jtest

Include Page
Parasoft_V
Parasoft_V

CERT.FIO12.PMRWLEDProvide methods to read and write little-endian data

Related Guidelines

MITRE CWE

CWE-198, Use of Incorrect Byte Ordering

Bibliography

[API 2014]

Class ByteBuffer
  

Methods

Method wrap()

and


   Method order()
Class Integer
   Method reverseBytes()

[Cohen 1981]

"On Holy Wars and a Plea for Peace"

[Harold 1997]

Chapter 2, "Primitive Data Types, Cross-Platform Issues"

...


...