SEI CERT C Coding Standard

SEI CERT C Coding Standard

Rules for Developing Safe, Reliable, and Secure Systems

2016 Edition

Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. This report was prepared for the SEI Administrative Agent AFLCMC/PZM 20 Schilling Circle, Bldg. 1305, 3rd floor Hanscom AFB, MA 01731-2125 NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. * These restrictions do not apply to U.S. government entities. Carnegie Mellon? and CERT? are registered marks of Carnegie Mellon University. DM-0003560

v2016-06-29-1140

Table of Contents

1 Introduction

1

1.1 Scope

2

1.2 Audience

3

1.3 History

4

1.4 ISO/IEC TS 17961 C Secure Coding Rules

5

1.5 Tool Selection and Validation

7

1.6 Taint Analysis

9

1.7 Rules Versus Recommendations

10

1.8 Conformance Testing

11

1.9 Development Process

12

1.10 Usage

13

1.11 System Qualities

13

1.12 Vulnerability Metric

13

1.13 How This Coding Standard Is Organized

14

1.14 Automatically Generated Code

18

1.15 Government Regulations

19

1.16 Acknowledgments

20

2 Preprocessor (PRE)

23

2.1 PRE30-C. Do not create a universal character name through concatenation

23

2.2 PRE31-C. Avoid side effects in arguments to unsafe macros

25

2.3 PRE32-C. Do not use preprocessor directives in invocations of function-like macros 30

3 Declarations and Initialization (DCL)

32

3.1 DCL30-C. Declare objects with appropriate storage durations

32

3.2 DCL31-C. Declare identifiers before using them

36

3.3 DCL36-C. Do not declare an identifier with conflicting linkage classifications

40

3.4 DCL37-C. Do not declare or define a reserved identifier

43

3.5 DCL38-C. Use the correct syntax when declaring a flexible array member

50

3.6 DCL39-C. Avoid information leakage when passing a structure across a trust boundary 53

3.7 DCL40-C. Do not create incompatible declarations of the same function or object

60

3.8 DCL41-C. Do not declare variables inside a switch statement before the first case label 66

4 Expressions (EXP)

68

4.1 EXP30-C. Do not depend on the order of evaluation for side effects

68

4.2 EXP32-C. Do not access a volatile object through a nonvolatile reference

74

4.3 EXP33-C. Do not read uninitialized memory

76

4.4 EXP34-C. Do not dereference null pointers

85

4.5 EXP35-C. Do not modify objects with temporary lifetime

90

4.6 EXP36-C. Do not cast pointers into more strictly aligned pointer types

93

4.7 EXP37-C. Call functions with the correct number and type of arguments

98

4.8 EXP39-C. Do not access a variable through a pointer of an incompatible type

103

4.9 EXP40-C. Do not modify constant objects

109

4.10 EXP42-C. Do not compare padding data

111

4.11 EXP43-C. Avoid undefined behavior when using restrict-qualified pointers

114

SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems

i

Software Engineering Institute | Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

4.12 EXP44-C. Do not rely on side effects in operands to sizeof, _Alignof, or _Generic

122

4.13 EXP45-C. Do not perform assignments in selection statements

126

4.14 EXP46-C. Do not use a bitwise operator with a Boolean-like operand

131

5 Integers (INT)

132

5.1 INT30-C. Ensure that unsigned integer operations do not wrap

132

5.2 INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data 138

5.3 INT32-C. Ensure that operations on signed integers do not result in overflow

147

5.4 INT33-C. Ensure that division and remainder operations do not result in divide-by-zero

errors

157

5.5 INT34-C. Do not shift an expression by a negative number of bits or by greater than or

equal to the number of bits that exist in the operand

160

5.6 INT35-C. Use correct integer precisions

166

5.7 INT36-C. Converting a pointer to integer or integer to pointer

169

6 Floating Point (FLP)

173

6.1 FLP30-C. Do not use floating-point variables as loop counters

173

6.2 FLP32-C. Prevent or detect domain and range errors in math functions

176

6.3 FLP34-C. Ensure that floating-point conversions are within range of the new type

185

6.4 FLP36-C. Preserve precision when converting integral values to floating-point type 189

6.5 FLP37-C. Do not use object representations to compare floating-point values

191

7 Array (ARR)

193

7.1 ARR30-C. Do not form or use out-of-bounds pointers or array subscripts

193

7.2 ARR32-C. Ensure size arguments for variable length arrays are in a valid range

203

7.3 ARR36-C. Do not subtract or compare two pointers that do not refer to the same array 207

7.4 ARR37-C. Do not add or subtract an integer to a pointer to a non-array object

209

7.5 ARR38-C. Guarantee that library functions do not form invalid pointers

212

7.6 ARR39-C. Do not add or subtract a scaled integer to a pointer

222

8 Characters and Strings (STR)

226

8.1 STR30-C. Do not attempt to modify string literals

226

8.2 STR31-C. Guarantee that storage for strings has sufficient space for character

data and the null terminator

230

8.3 STR32-C. Do not pass a non-null-terminated character sequence to a library function

that expects a string

242

8.4 STR34-C. Cast characters to unsigned char before converting to larger integer sizes 247

8.5 STR37-C. Arguments to character-handling functions must be representable as an

unsigned char

251

8.6 STR38-C. Do not confuse narrow and wide character strings and functions

253

9 Memory Management (MEM)

256

9.1 MEM30-C. Do not access freed memory

256

9.2 MEM31-C. Free dynamically allocated memory when no longer needed

262

9.3 MEM33-C. Allocate and copy structures containing a flexible array member

dynamically

264

9.4 MEM34-C. Only free memory allocated dynamically

269

9.5 MEM35-C. Allocate sufficient memory for an object

273

9.6 MEM36-C. Do not modify the alignment of objects by calling realloc()

277

SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems

ii

Software Engineering Institute | Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

10 Input/Output (FIO)

281

10.1 FIO30-C. Exclude user input from format strings

281

10.2 FIO32-C. Do not perform operations on devices that are only appropriate for files

285

10.3 FIO34-C. Distinguish between characters read from a file and EOF or WEOF

291

10.4 FIO37-C. Do not assume that fgets() or fgetws() returns a nonempty string when

successful

296

10.5 FIO38-C. Do not copy a FILE object

299

10.6 FIO39-C. Do not alternately input and output from a stream without an intervening

flush or positioning call

301

10.7 FIO40-C. Reset strings on fgets() or fgetws() failure

304

10.8 FIO41-C. Do not call getc(), putc(), getwc(), or putwc() with a stream argument that

has side effects

306

10.9 FIO42-C. Close files when they are no longer needed

309

10.10 FIO44-C. Only use values for fsetpos() that are returned from fgetpos()

313

10.11 FIO45-C. Avoid TOCTOU race conditions while accessing files

315

10.12 FIO46-C. Do not access a closed file

319

10.13 FIO47-C. Use valid format strings

321

11 Environment (ENV)

326

11.1 ENV30-C. Do not modify the object referenced by the return value of certain functions 326

11.2 ENV31-C. Do not rely on an environment pointer following an operation that may

invalidate it

331

11.3 ENV32-C. All exit handlers must return normally

336

11.4 ENV33-C. Do not call system()

340

11.5 ENV34-C. Do not store pointers returned by certain functions

347

12 Signals (SIG)

353

12.1 SIG30-C. Call only asynchronous-safe functions within signal handlers

353

12.2 SIG31-C. Do not access shared objects in signal handlers

363

12.3 SIG34-C. Do not call signal() from within interruptible signal handlers

367

12.4 SIG35-C. Do not return from a computational exception signal handler

371

13 Error Handling (ERR)

374

13.1 ERR30-C. Set errno to zero before calling a library function known to set errno,

and check errno only after the function returns a value indicating failure

374

13.2 ERR32-C. Do not rely on indeterminate values of errno

381

13.3 ERR33-C. Detect and handle standard library errors

386

14 Concurrency (CON)

403

14.1 CON30-C. Clean up thread-specific storage

403

14.2 CON31-C. Do not destroy a mutex while it is locked

407

14.3 CON32-C. Prevent data races when accessing bit-fields from multiple threads

410

14.4 CON33-C. Avoid race conditions when using library functions

414

14.5 CON34-C. Declare objects shared between threads with appropriate storage durations 418

14.6 CON35-C. Avoid deadlock by locking in a predefined order

426

14.7 CON36-C. Wrap functions that can spuriously wake up in a loop

431

14.8 CON37-C. Do not call signal() in a multithreaded program

435

14.9 CON38-C. Preserve thread safety and liveness when using condition variables

437

14.10 CON39-C. Do not join or detach a thread that was previously joined or detached

445

SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems

iii

Software Engineering Institute | Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download