book

The CERT ® C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems, Second Edition

Name: The CERT ® C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems, Second Edition
Author: Robert C. Seacord
ISBN: 9780133812275

by Robert C. Seacord

April 2014

Intermediate to advanced

576 pages

14h 45m

English

Addison-Wesley Professional

Read now

Unlock full access

About This eBook
Title Page
Copyright Page
Dedication Page
Contents
Preface
ScopeWho Should Read This BookHistoryISO/IEC TS 17961 C Secure Coding RulesTool Selection and ValidationTaint AnalysisRules versus RecommendationsUsageConformance TestingSystem QualitiesHow This Book Is OrganizedAutomatically Generated CodeGovernment Regulations
Acknowledgments
Contributors
About the Author
Chapter 1. Preprocessor (PRE)
PRE30-C. Do not create a universal character name through concatenationPRE31-C. Avoid side effects in arguments to unsafe macrosPRE32-C. Do not use preprocessor directives in invocations of function-like macros

Chapter 2. Declarations and Initialization (DCL)
DCL30-C. Declare objects with appropriate storage durationsDCL31-C. Declare identifiers before using themDCL36-C. Do not declare an identifier with conflicting linkage classificationsDCL37-C. Do not declare or define a reserved identifierDCL38-C. Use the correct syntax when declaring a flexible array memberDCL39-C. Avoid information leakage in structure paddingDCL40-C. Do not create incompatible declarations of the same function or objectDCL41-C. Do not declare variables inside a switch statement before the first case label
Chapter 3. Expressions (EXP)
EXP30-C. Do not depend on the order of evaluation for side effectsEXP32-C. Do not access a volatile object through a nonvolatile referenceEXP33-C. Do not read uninitialized memoryEXP34-C. Do not dereference null pointersEXP35-C. Do not modify objects with temporary lifetimeEXP36-C. Do not cast pointers into more strictly aligned pointer typesEXP37-C. Call functions with the correct number and type of argumentsEXP39-C. Do not access a variable through a pointer of an incompatible typeEXP40-C. Do not modify constant objectsEXP42-C. Do not compare padding dataEXP43-C. Avoid undefined behavior when using restrict-qualified pointersEXP44-C. Do not rely on side effects in operands to sizeof, _Alignof, or _GenericEXP45-C. Do not perform assignments in selection statements
Chapter 4. Integers (INT)
INT30-C. Ensure that unsigned integer operations do not wrapINT31-C. Ensure that integer conversions do not result in lost or misinterpreted dataINT32-C. Ensure that operations on signed integers do not result in overflowINT33-C. Ensure that division and remainder operations do not result in divide-by-zero errorsINT34-C. Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operandINT35-C. Use correct integer precisionsINT36-C. Converting a pointer to integer or integer to pointer
Chapter 5. Floating Point (FLP)
FLP30-C. Do not use floating-point variables as loop countersFLP32-C. Prevent or detect domain and range errors in math functionsFLP34-C. Ensure that floating-point conversions are within range of the new typeFLP36-C. Preserve precision when converting integral values to floating-point type
Chapter 6. Arrays (ARR)
ARR30-C. Do not form or use out-of-bounds pointers or array subscriptsARR32-C. Ensure size arguments for variable length arrays are in a valid rangeARR36-C. Do not subtract or compare two pointers that do not refer to the same arrayARR37-C. Do not add or subtract an integer to a pointer to a non-array objectARR38-C. Guarantee that library functions do not form invalid pointersARR39-C. Do not add or subtract a scaled integer to a pointer
Chapter 7. Characters and Strings (STR)
STR30-C. Do not attempt to modify string literalsSTR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminatorSTR32-C. Do not pass a non-null-terminated character sequence to a library function that expects a stringSTR34-C. Cast characters to unsigned char before converting to larger integer sizesSTR37-C. Arguments to character handling functions must be representable as an unsigned charSTR38-C. Do not confuse narrow and wide character strings and functions
Chapter 8. Memory Management (MEM)
MEM30-C. Do not access freed memoryMEM31-C. Free dynamically allocated memory when no longer neededMEM33-C. Allocate and copy structures containing a flexible array member dynamicallyMEM34-C. Only free memory allocated dynamicallyMEM35-C. Allocate sufficient memory for an objectMEM36-C. Do not modify the alignment of objects by calling realloc()
Chapter 9. Input/Output (FIO)
FIO30-C. Exclude user input from format stringsFIO31-C. Do not open a file that is already openFIO32-C. Do not perform operations on devices that are only appropriate for filesFIO34-C. Distinguish between characters read from a file and EOF or WEOFFIO37-C. Do not assume that fgets() or fgetws() returns a nonempty string when successfulFIO38-C. Do not copy a FILE objectFIO39-C. Do not alternately input and output from a stream without an intervening flush or positioning callFIO40-C. Reset strings on fgets() or fgetws() failureFIO41-C. Do not call getc(), putc(), getwc(), or putwc() with a stream argument that has side effectsFIO42-C. Close files when they are no longer neededFIO44-C. Only use values for fsetpos() that are returned from fgetpos()FIO45-C. Avoid TOCTOU race conditions while accessing filesFIO46-C. Do not access a closed fileFIO47-C. Use valid format strings
Chapter 10. Environment (ENV)
ENV30-C. Do not modify the object referenced by the return value of certain functionsENV31-C. Do not rely on an environment pointer following an operation that may invalidate itENV32-C. All exit handlers must return normallyENV33-C. Do not call system()ENV34-C. Do not store pointers returned by certain functions
Chapter 11. Signals (SIG)
SIG30-C. Call only asynchronous-safe functions within signal handlersSIG31-C. Do not access shared objects in signal handlersSIG34-C. Do not call signal() from within interruptible signal handlersSIG35-C. Do not return from a computational exception signal handler
Chapter 12. Error Handling (ERR)
ERR30-C. Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failureERR32-C. Do not rely on indeterminate values of errnoERR33-C. Detect and handle standard library errors
Chapter 13. Concurrency (CON)
CON30-C. Clean up thread-specific storageCON31-C. Do not destroy a mutex while it is lockedCON32-C. Prevent data races when accessing bit-fields from multiple threadsCON33-C. Avoid race conditions when using library functionsCON34-C. Declare objects shared between threads with appropriate storage durationsCON35-C. Avoid deadlock by locking in a predefined orderCON36-C. Wrap functions that can spuriously wake up in a loopCON37-C. Do not call signal() in a multithreaded programCON38-C. Preserve thread-safety and liveness when using condition variablesCON39-C. Do not join or detach a thread that was previously joined or detachedCON40-C. Do not refer to an atomic variable twice in an expressionCON41-C. Wrap functions that can fail spuriously in a loop
Chapter 14. Miscellaneous (MSC)
MSC30-C. Do not use the rand() function for generating pseudorandom numbersMSC32-C. Properly seed pseudorandom number generatorsMSC33-C. Do not pass invalid data to the asctime() functionMSC37-C. Ensure that control never reaches the end of a non-void functionMSC38-C. Do not treat a predefined identifier as an object if it might only be implemented as a macroMSC39-C. Do not call va_arg() on a va_list that has an indeterminate valueMSC40-C. Do not violate constraints
Appendix A. Glossary
Appendix B. Undefined Behavior
Appendix C. Unspecified Behavior
Bibliography
Index

Content preview from The CERT ® C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems, Second Edition

Chapter 9. Input/Output (FIO)

Chapter Contents

Risk Assessment Summary

FIO30-C. Exclude user input from format strings

Never call a formatted I/O function with a format string containing a tainted value. An attacker who can fully or partially control the contents of a format string can crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location. Consequently, the attacker can execute ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780133812275Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The CERT ® C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems, Second Edition

by Robert C. Seacord

Chapter 9. Input/Output (FIO)

FIO30-C. Exclude user input from format strings

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.