SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 35 Next »

Do not hard-code the size of a type into an application. Because of alignment, padding, and differences in basic types (e.g., 32-bit versus 64-bit pointers), the size of most types can vary between compilers and even versions of the same compiler. Using the sizeof operator to determine sizes improves the clarity of what is meant and ensures that changes between compilers or versions will not affect the code.

Type alignment requirements can also affect the size of structures. For example, the size of the following structure is implementation-defined:

struct s {
   int i;
   double d;
};

Assuming 32-bit integers and 64-bit doubles, for example, the size can range from 12 or 16 bytes, depending on alignment rules.

Non-Compliant Code Example

This non-compliant code example attempts to declare two dimensional array of integers with variable length rows. On a platform with 64-bit integers, the loop will access memory outside the allocated memory section.

/* assuming 32-bit pointer, 32-bit integer */
size_t i;
int **matrix = (int **)calloc(100, 4);
if (matrix == NULL) {
  /* handle error */
}

for (i = 0; i < 100; i++) {
   matrix[i] = (int *)calloc(i, 4);
   if (matrix[i] == NULL) {
     /* handle error */
   }
}

Compliant Solution

This compliant solution replaces the hard-coded value 4 with sizeof(int *).

size_t i;
int **matrix = (int **)calloc(100, sizeof(int *));
if (matrix == NULL) {
   /* handle error */
}

for (i = 0; i < 100; i++) {
   matrix[i] = (int *)calloc(i, sizeof(int));
   if (matrix[i] == NULL) {
      /* handle error */
   }
}

Also see MEM02-A. Immediately cast the result of a memory allocation function call into a pointer to the allocated type for a discussion on the use of the sizeof operator with memory allocation functions.

Risk Assessment

If non-compliant code is ported to a different platform, it could introduce a buffer or stack overflow vulnerability.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

EXP09-A

3 (high)

1 (unlikely)

2 (medium)

P6

L2

Automated Detection

The tool Compass Rose is able to detect violations of this recommendation.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899-1999]] Section 6.2.6, "Representations of types," and Section 6.5.3.4, "The sizeof operator"

EXP08-A. Ensure pointer arithmetic is used correctly      03. Expressions (EXP)       DCL13-A. Function arguments that are pointers to values not changed by the function should be declared const

  • No labels