SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 34 Next »

The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type. However, using the sizeof operator to determine the size of arrays is error prone.

Non-Compliant Code Example

In this non-compliant code example, the function clear() zeros the elements in an array. The function has one parameter declared as int array[] and is passed a static array consisting of twelve int as the argument. The function clear() uses the idiom sizeof (array) / sizeof (array[0]) to determine the number of elements in the array. However, array has a pointer type because it is a parameter.  As a result, sizeof(array) is sizeof(int *).  For example, in GCC on IA32, the expression sizeof (array) / sizeof (array[0]) evaluates to 1, regardless of the length of the array passed, leaving the rest of the array unaffected.

void clear(int array[]) {
  size_t i;
  for (i = 0; i < sizeof (array) / sizeof (array[0]); ++i) {
     array[i] = 0;
   }
}
/* ... */
int dis[12];

clear(dis);
/* ... */

The footnote in Section 6.5.3.4 of the C Standard [[ISO/IEC 9899:1999]] explains:

When applied to a parameter declared to have array or function type, the sizeof operator yields the size of the adjusted (pointer) type . . . .

Compliant Solution

In this compliant solution, the size of the array is determined inside the block in which it is declared and passed as an argument to the function.

void clear(int array[], size_t size) {
  size_t i;
  for (i = 0; i < size; i++) {
     array[i] = 0;
  }
}
/* ... */
int dis[12];

clear(dis, sizeof (dis) / sizeof (dis[0]));
/* ... */

Risk Assessment

Incorrectly using the sizeof operator to determine the size of an array can result in a buffer overflow, allowing the execution of arbitrary code.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ARR00-A

3 (high)

2 (probable)

3 (low)

P18

L1

Automated Detection

The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.

The tool Compass Rose can detect violations of the recommendation, but it cannot distinguish between incomplete array declarations and pointer declarations.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899-1999]] Section 6.7.5.2, "Array declarators"
[[Drepper 06]] Section 2.1.1, "Respecting Memory Bounds"

06. Arrays (ARR)      06. Arrays (ARR)       ARR30-C. Guarantee that array indices are within the valid range

  • No labels