The type, precision, and range of clock_t are implementation defined. Both time_t and clock_t are both only defined as "arithmetic types." However, how time is encoded within the arithmetic type is unspecified. Therefore, variables of these types should not be modified directly but should only have their values set by functions that understand their underlying representation.

Non-Compliant Code Example

This code attempts to execute do_some_work() multiple times until at least seconds_to_work has passed. However, because the encoding is not defined, there is no guarantee that adding start to seconds_to_work will result adding seconds_to_work seconds.

int do_work(int seconds_to_work) {
  time_t start;
  start = time();
  if (start == (time_t)(-1)) {
    /* Handle error */
  }
  while (time() < start + second_to_work) {
    do_some_work();
  }
}

Compliant Solution

This compliant solution uses difftime() to determine the difference between two time_t values. difftime() returns the number of seconds from the second parameter until the first parameter and returns the result as a double.

int do_work(int seconds_to_work) {
  time_t start, current;
  start = time();
  if (start == (time_t)(-1)) {
    /* Handle error */
  }
  while (time() < start + second_to_work) {
    current = time();
    if (current == (time_t)(-1)) {
       /* Handle error */
    }
    if (difftime(current, start) >= seconds_to_work)
      break;
    do_some_work();
  }
}

Note that this loop may still not exit, as the range of time_t may not be able to represent two times seconds_to_work apart.

Risk Assessment

Changing{{time_t}} or clock_t typed variables incorrectly can lead to broken logic that could place a program in an infinite loop or cause an expected logic branch to not actually execute.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC05-A

1 (low)

1 (low)

2 (medium)

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[Kettlewell 02|AA. C References#Kettlewell 02]\] Section 4.1, "time_t"

\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]] Section 7.23, "Date and time <time.h>"