SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 89

changes.mady.by.user Lisa Robertson

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Incorrectly using the sizeof operator to determine the size of an array can result in a buffer overflow, allowing the execution of arbitrary code.

Recommendation

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

ARR01-C

High

Probable

No

Low

Yes

P18

P12

L1

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
sizeof-array-parameter
Fully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-ARR01Fully implemented
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.TYPE.SAP

sizeof Array Parameter
Compass/ROSE

 

 



Can detect violations of the recommendation but cannot distinguish between incomplete array declarations and pointer declarations

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C1321


Klocwork
Include Page
Klocwork_V
Klocwork_V
CWARN.MEMSET.SIZEOF.PTRFully implemented
LDRA tool suite
Include Page
LDRA_V
LDRA_V

401 S

Fully implemented

Parasoft C/C++test
9.5PB-32Fully implementedPolyspace Bug FinderR2016a
Include Page
Parasoft_V
Parasoft_V

CERT_C-ARR01-a

Do not call 'sizeof' on a pointer type

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

682, 882

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. ARR01-C


Checks for:

  • Wrong type used in sizeof
  • Possible misuse of sizeof
Use of sizeof operator can cause unintended results

Rec, fully covered.

Splint
Include Page
Splint_V
Splint
_V

 

_V



PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V511, V512, V514, V568, V579, V604, V697, V1086
RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
sizeof-array-parameterFully checked
 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C
SEI CERT C++ Coding Standard
CTR01-CPP. Do not apply the sizeof operator to a pointer when taking the size of an array
MITRE CWE
Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-467, Use of sizeof() on a pointer typePrior to 2018-01-12: CERT:
ISO/IEC TS 17961Taking the size of a pointer to determine the size of the pointed-to type [sizeofptr]Prior to 2018-01-12: CERT: Unspecified Relationship
MITRE CWECWE-569Prior to 2018-01-12:
MITRE CWECWE-783Prior to 2018-01-12:

Bibliography

[Drepper 2006]Section 2.1.1, "Respecting Memory Bounds"
[ISO/IEC 9899:2011]Subclause 6.5.3.4, "The sizeof and _Alignof Operators"

...


...

Image Modified Image Modified Image Modified