This list of errata lists errors identified since the release of the PDF document entitled SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems (2016 Edition). These corrections were made to the SEI CERT C Coding Standard wiki, which is the most current source for this standards information. The focus of the correction is highlighted in red below in the Before and After columns. This page does not include additions since this standard was published, if the addition doesn't actually correct a defect that was in the publication.
Location | Before (with error) | After (with correction) | Rationale |
p 9, Section 1.6 | Taint and Tainted Sources | Material from this section was contributed to ISO/IEC TS 17961:2013. Taint and Tainted Sources | Added citation for TS 17961 because it has similar content. |
p. 21, Section 1.16 | ...Brendan Saulsbury,Robert C. Seacord... | ...Brendan Saulsbury, Roger Scott, Robert C. Seacord... | |
p. 30, Section 2.3.1 | ); | } | The last line of the Noncompliant Code Example in section 2.3.1 closes the code block incorrectly with a close-parent-semicolin ");", but should be a closed brace "}". |
p. 43, Section 3.4.1 | Noncompliant Code Example (Header Guard) | Noncompliant Code Example (Include Guard) A common, but noncompliant, practice is to choose a reserved name for a macro used in a prepro- cessor conditional guarding against multiple inclusions of a header file. (See also PRE06-C. En- close header files in an include guard.) | Standardized the term to be "include guard". |
p 44, Section 3.4.2 | Compliant Solution (Header Guard) | Compliant Solution (Include Guard) This compliant solution avoids using leading underscores in the name of the include guard: | Standardized the term to be "include guard". |
p 54, Section 3.6.2 | However, compilers are free to implement arg.b = 2 by setting the low byte of a 32-bit register | However, a conforming compiler is free to implement arg.b = 2 by setting the low-order bits of a register to 2, leaving the high-order bits unchanged and containing sensitive information. Then the platform copies all register bits into memory, leaving sensitive information in the padding bits. Consequently, this implementation could leak the high-order bits from the register to a user. | A more precise clarification |
p 55, Section 3.6.3 |
|
| Zero out any remaining bytes in array to be copied. Use "buf" not "buff". |
p 56, Section 3.6.5 | GCC allows specifying declaration attributes using the keyword __attribute__((__packed__)) . When this attribute is present, the compiler will not add padding bytes for memory alignment unless otherwise required by the _Alignas alignment specifier ... | GCC allows specifying declaration attributes using the keyword __attribute__((__packed__)) . When this attribute is present, the compiler will not add padding bytes for memory alignment unless an explicit alignment specifier for a structure member requires the introduction of padding bytes. | Clarification that alignment requirements trump GCC packing attribute. |
p 57, Section 3.6.7 | However, compilers are free to implement the initialization of arg.a and arg.b by setting the | Paragraph was spurious and did not apply to code example, so it was removed. | |
p. 72, Section 4.1.8 | MISRA C:2012 Rule 12.1 (advisory) | MISRA C:2012 Rule 13.2 (required) | CERT cross-reference in MISRA C:2012 – Addendum 3 |
p. 88, Section 4.4.6 |
|
| Added assert statements to specify pointers that are expected not to be null. |
p. 95, Section 4.6.7 | On such an architecture, improper pointer alignment is permitted but remains an efficiency problem. | On such an architecture, improper pointer alignment is permitted but remains an efficiency problem. The x86 32- and 64-bit architectures... ...but they must also ensure that their compiler, along with its optimizer, also respect these guarantees. | Added counterexample and warning to EXP36-C-EX1. (See EXP36-C for full text.) |
p 105, Section 4.8.5 |
|
| Perform proper memory cleanup |
p 106, Section 4.8.6 |
|
| Perform proper memory cleanup |
p. 111, Section 4.10.1 | if (0 == memcmp(left, right, sizeof(struct s))) { |
| Added checks to both arguments to avoid possible null dereferences. |
p. 112, Section 4.10.3 |
|
| Added checks to both arguments to avoid possible null dereferences. |
p. 120, Section 4.11.4.2 | float x | float x; | Added semicolon for syntactic correctness. |
p 125, Section 4.12.8 | printf("%zu, %d\n, align, val); | printf("%zu, %d\n", align, val); | Added quote for syntactic correctness. |
p. 126, Section 4.13 | 4.13.1 | Performing assignment statements in other contexts do not violate this rule. However, they may violate other rules, such as EXP30-C. Do not depend on the order of evaluation for side effects. 4.13.1 | Added a reference to related rule EXP30-C to this rule's introduction. |
p. 128, Section 4.13.9 | while (ch = '\t' && ch == ' ' && ch == '\n') { | while (ch = '\t' || ch == ' ' || ch == '\n') { | Use || to test if a char has one of several values, rather than &&. |
p. 128, Section 4.13.10 (Noncompliant code) | while ('\t' = ch && ' ' == ch && '\n' == ch) { | while ('\t' = ch || ' ' == ch || '\n' == ch) { | Use || to test if a char has one of several values, rather than &&. |
p. 128, Section 4.13.10 (Compliant code) | while ('\t' == ch && ' ' == ch && '\n' == ch) { | while ('\t' == ch || ' ' == ch || '\n' == ch) { | Use || to test if a char has one of several values, rather than &&. |
p.138, Section 4.15 | Previous section is 4.14, rule EXP46-C | New rule EXP47-C. (See wiki for contents) | New rule deemed necessary (vulnerability not covered by pre-existing rule). |
p. 150, Section 5.3.5.2 | This compliant solution eliminates signed overflow on systems where | This compliant solution eliminates signed overflow on systems where | The phrase should be “ |
p. 186 Section 6.3.2 | i |
| Code now safely handles NaN. |
p. 187 Section 6.3.4 |
|
| Code now safely handles NaN. |
p. 189, Section 6.4.1 | long int big = 1234567890; | long int big = 1234567890L; | Addition of type suffix in initialization statement. |
p. 190, Section 6.4.2 | long int big = 1234567890; | long int big = 1234567890L; | Addition of type suffix in initialization statement. |
p. 203, Section 7.2.1 | In this noncompliant code example, a variable length array of size is declared. | In this noncompliant code example, a variable length array of size | The second ” |
p. 226, Section 8.1 | A character string literal is a sequence of zero or more multibyte characters enclosed in double-quotes, as in | A character string literal is a sequence of zero or more multibyte characters enclosed in double-quotes, as in | The period should appear outside the quote, not inside the quote because the quote is part of the character string. |
p. 279 Section 9.5.1 | The code checks for unsigned integer overflow in compliance with INT32-C. Ensure that operations on signed integers do not result in overflow and also ensures that | The code attempts to check for unsigned integer overflow in compliance with INT30-C. Ensure that unsigned integer operations do not wrap and also ensures that len is not equal to zero. | The code uses only unsigned integers. |
p. 283, Section 10.1.4 |
|
| An error should be handled only if msg IS null, not IS NOT null. |
p. 286, Section 10.2.2 | When opening a FIFO with When opening a block special or character special file that supports nonblocking opens: Otherwise, the behavior of | When opening a FIFO with
When opening a block special or character special file that supports nonblocking opens:
Otherwise, the behavior of | Bulleted items were missing. |
p. 365, Section 12.2.3 | Signal handlers can refer to objects with static or thread storage a duration that are lock-free atomic objects, as in this compliant solution: | Signal handlers can refer to objects with static or thread storage durations that are lock-free atomic objects, as in this compliant solution: | The phrase should be “storage durations” not “storage a duration.” |
p. 374, Section 13.1 | • Those that set errno and return an | • Those that set errno and return an out-of-band error indicator | Changed 'and' to 'an' to correct both noun phrases |
p. 375, Section 13.1 | c16rtomb() , c | c16rtomb() , c32tomb() | The standard library function name was incorrectly spelled. |
p. 447, Section 14.11.1 | This noncompliant code example declares a shared | This noncompliant code example declares a shared | The variable should be “ |
p. 447, Section 14.11.1 | Execution of this code may result in a data race because the value of flag is read, negated, and written back. | Execution of this code may result in unexpected behavior because the value of flag is read, negated, and written back. | Changed "data race" to a more appropriate term. |
p 456-457, Section 15.1.3 | Replaced Section 15.1.3 (Compliant Solution (Windows) | Replaced Section 15.1.3 (Compliant Solution (Windows) | Old CS was based on CryptGenRandom() which is deprecated. New CS is based on BCryptGenRandom(), which is recommended as replacement. |
p 458, Section 15.1.6 | “CryptGenRandom Function“ | “BCryptGenRandom Function“ | Updated bib. reference to correspond with new Section 15.1.3 |
p. 461, Section 15.2.3 | Replaced Section 15.2.3 (Compliant Solution (Windows) | Replaced Section 15.2.3 (Compliant Solution (Windows) | Old CS was based on CryptGenRandom() which is deprecated. New CS is based on BCryptGenRandom(), which is recommended as replacement |
p 462, Section 15.2.6 | “CryptGenRandom Function“ | “BCryptGenRandom Function“ | Updated bib. reference to correspond with new Section 15.2.3 |
p. 479, Section A | Previous section is 15.7.8, rule MSC40-C | New rule MSC41-C (See wiki for contents) | New rule deemed necessary (vulnerability not covered by pre-existing rule). |
p. 501, Section B | "analyzer" definition reference was [ISO/IEC 9899:2011]. | "analyzer" definition reference should be [ISO/IEC TS 17961:2013] | Reference was to the wrong ISO/IEC standard document. |
p. 519, Section C | 137 The macro va_arg is invoked using the parameter ap that was | 137 The macro va_arg is invoked using the parameter ap that was passed to a function that invoked the macro va_arg with the same parameter (7.16) | Rule CON37-C should be associated with Undefined Behavior 135, not 137. |
p. 519, Section C | 135 The signal function is used in a multi-threaded program (7.14.1.1). | 135 The signal function is used in a multi-threaded program (7.14.1.1). CON37-C | Rule CON37-C should be associated with Undefined Behavior 135, not 137. |