Location
Before (with error)
After (with correction)
Rationale
Taint and Tainted Sources
Material from this section was contributed toISO/IEC TS 17961:2013.
Taint and Tainted Sources
...Brendan Saulsbury,Robert C. Seacord...
...Brendan Saulsbury, Roger Scott, Robert C. Seacord...
Noncompliant Code Example (Header Guard)
A common, but noncompliant, practice is to choose a reserved name for a macro used in a prepro-
cessor conditional guarding against multiple inclusions of a header file. (See also PRE06-C. En-
close header files in an inclusion guard.)
A common, but noncompliant, practice is to choose a reserved name for a macro used in a prepro-
cessor conditional guarding against multiple inclusions of a header file. (See also PRE06-C. En-
close header files in an include guard.)
Compliant Solution (Header Guard)
This compliant solution avoids using leading underscores in the name of the header guard:
This compliant solution avoids using leading underscores in the name of the include guard:
However, compilers are free to implement arg.b = 2 by setting the low byte of a 32-bit register
to 2 , leaving the high bytes unchanged and storing all 32 bits of the register into memory. This
implementation could leak the high-order bytes resident in the register to a user.
arg.b = 2
by setting the low-order bits of a register to 2, leaving the high-order bits unchanged and containing sensitive information. Then the platform copies all register bits into memory, leaving sensitive information in the padding bits. Consequently, this implementation could leak the high-order bits from the register to a user.memcpy(buf + offset, &arg.c, sizeof(arg.c));
offset += sizeof(arg.c);
memcpy(buf + offset, &arg.c, sizeof(arg.c));
offset += sizeof(arg.c);
/* Set all remaining bytes to zero */
memset(buf + offset,
0
, sizeof(arg) - offset);
__attribute__((__packed__))
. When this attribute is present, the compiler will not add padding bytes for memory alignment unless otherwise required by the_Alignas
alignment specifier ...__attribute__((__packed__))
. When this attribute is present, the compiler will not add padding bytes for memory alignment unlessan explicit alignment specifier for a structure member requires the introduction of padding bytes.However, compilers are free to implement the initialization of arg.a and arg.b by setting the
low byte of a 32-bit register to the value specified, leaving the high bytes unchanged and storing
all 32 bits of the register into memory. This implementation could leak the high-order bytes resi-
dent in the register to a user.
MISRA C:2012 Rule 12.1 (advisory)
static unsigned int tun_chr_poll(struct file *file, poll_table
*wait) {
struct tun_file *tfile = file->private_data;
struct tun_struct *tun = __tun_get(tfile);
struct sock *sk;
unsigned int mask = 0;
if (!tun)
return POLLERR;
sk = tun->sk;
/* T
static
unsigned
int
tun_chr_poll(
struct
file *file, poll_table *wait) {
assert
(file);
struct
tun_file *tfile = file->private_data;
struct
tun_struct *tun = __tun_get(tfile);
struct
sock *sk;
unsigned
int
mask = 0;
if
(!tun)
return
POLLERR;
assert
(tun->dev);
sk = tun->sk;
assert
(sk);
assert
(sk->socket);
/* The remaining code is omitted because it is unchanged... */
}
On such an architecture, improper pointer alignment is permitted but remains an efficiency problem.
On such an architecture, improper pointer alignment is permitted but remains an efficiency problem.
The x86 32- and 64-bit architectures...
...but they must also ensure that their compiler, along with its optimizer, also respect these guarantees.
if (wp->j == 12) {
/* ... */
}
}
if (wp->j == 12) {
/* ... */
}/* ... */
free
(wp);
}
if (wp->j == 12) {
/* ... */
}
}
if (wp->j == 12) {
/* ... */
}/* ... */
free
(wp);
}
if (0 == memcmp(left, right, sizeof(struct s))) {
if
((left && right) &&
(0 ==
memcmp
(left, right,
sizeof
(
struct
s)))) {
if (0 == memcmp(left, right, sizeof(struct s))) {
if
((left && right) &&
(0 ==
memcmp
(left, right,
sizeof
(
struct
s)))) {
4.13.1
Noncompliant Code Example
Performing assignment statements in other contexts do not violate this rule. However, they may violate other rules, such asEXP30-C. Do not depend on the order of evaluation for side effects.
4.13.1
Noncompliant Code Example
while (ch = '\t' && ch == ' ' && ch == '\n') {
while (ch = '\t' || ch == ' ' || ch == '\n') {
while ('\t' = ch && ' ' == ch && '\n' == ch) {
while ('\t' = ch || ' ' == ch || '\n' == ch) {
while ('\t' == ch && ' ' == ch && '\n' == ch) {
while ('\t' == ch || ' ' == ch || '\n' == ch) {
p. 150, Section 5.3.5.2
This compliant solution eliminates signed overflow on systems where long
is at least twice the precision ofint:
This compliant solution eliminates signed overflow on systems where long long
is at least twice the precision of int:
The phrase should be “long long
” not “long
.”
p. 186 Section 6.3.2
if (PRECISION(INT_MAX) < log2f(fabsf(f_a)) ||
(f_a != 0.0F && fabsf(f_a) < FLT_MIN)) {
/* Handle error */
if
(isnan(f_a) ||
PRECISION(INT_MAX) < log2f(fabsf(f_a)) ||
(f_a != 0.0F && fabsf(f_a) < FLT_MIN)) {
/* Handle error */
if (isgreater(fabs(d_a), FLT_MAX) ||
isless(fabs(d_a), FLT_MIN)) {
/* Handle error */
} else {
f_a = (float)d_a;
}
if (isgreater(fabsl(big_d), FLT_MAX) ||
isless(fabsl(big_d), FLT_MIN)) {
/* Handle error */
} else {
f_b = (float)big_d;
}
if (isgreater(fabsl(big_d), DBL_MAX) ||
isless(fabsl(big_d), DBL_MIN)) {
/* Handle error */
if
(d_a != 0.0 &&
(isnan(d_a) ||
isgreater(
fabs
(d_a), FLT_MAX) ||
isless(
fabs
(d_a), FLT_MIN))) {
/* Handle error */
}
else
{
f_a = (
float
)d_a;
}
if
(big_d != 0.0 &&
(isnan(big_d) ||
isgreater(
fabs
(big_d), FLT_MAX) ||
isless(
fabs
(big_d), FLT_MIN))) {
/* Handle error */
}
else
{
f_b = (
float
)big_d;
}
if
(big_d != 0.0 &&
(isnan(big_d) ||
isgreater(
fabs
(big_d), DBL_MAX) ||
isless(
fabs
(big_d), DBL_MIN))) {
/* Handle error */
long int big = 1234567890;
long int big = 1234567890L;
long int big = 1234567890;
long int big = 1234567890L;
p. 203, Section 7.2.1
In this noncompliant code example, a variable length array of size is declared.
In this noncompliant code example, a variable length array of size size
is declared.
The second ”size
” was missing.
p. 226, Section 8.1
A character string literal is a sequence of zero or more multibyte characters enclosed in double-quotes, as in "xyz."
A character string literal is a sequence of zero or more multibyte charactersenclosed in double-quotes, as in "xyz"
.
The period should appear outside the quote, not inside the quote because the quote is part of the character string.
The code checks for unsigned integer overflow in compliance withINT32-C. Ensure that operations on signed integers do not result in overflowand also ensures thatlen
is not equal to zero.
len
is not equal to zero.if
(msg
!= NULL) {/* Handle error */
}
if
(msg == NULL) {
/* Handle error */
}
p. 286, Section 10.2.2
When opening aFIFO with O_RDONLY
or O_WRONLY
set:
When opening a block special or character special file that supports nonblocking opens:
Otherwise, the behavior of O_NONBLOCK
is unspecified.
When opening a FIFO with O_RDONLY
or O_WRONLY
set:
- If
O_NONBLOCK
is set, anopen()
for reading-only returns without delay. Anopen()
for writing-only returns an error if no process currently has the file open for reading. - If
O_NONBLOCK
is clear, anopen()
for reading-only blocks the calling thread until a thread opens the file for writing. Anopen()
for writing-only blocks the calling thread until a thread opens the file for reading.
When opening a block special or character special file that supports nonblocking opens:
- If
O_NONBLOCK
is set, theopen()
function returns without blocking for the device to be ready or available; subsequent behavior is device-specific. - If
O_NONBLOCK
isclear, theopen()
function blocks the calling thread until the device is readyor available before returning.
Otherwise, the behavior of O_NONBLOCK
is unspecified.
Bulleted items weremissing.
p. 365, Section 12.2.3
Signal handlers can refer to objects with static or thread storage a duration that are lock-free atomic objects, as in this compliant solution:
Signal handlers can refer to objects with static or thread storage durations that are lock-free atomic objects, as in this compliant solution:
The phrase shouldbe “storage durations” not “storage a duration.”
• Those that set errno and return and out-of-band error indicator
• Those that set errno and return and in-band error indicator
• Those that set errno and return an out-of-band error indicator
• Those that set errno and return an in-band error indicator
p. 447, Section 14.11.1
This noncompliant code example declares a sharedatomic_boolflag
variable and provides a toggle_flag()
method that negates the current value of flag
:
This noncompliant code example declares a shared atomic_bool flag
variable and provides a toggle_flag()
method that negates the current value of flag
:
The variable should be “atomic_bool flag
,” not “atomic_boolflag
.”
flag
is read, negated, and written back.flag
is read, negated, and written back.137 The macro va_arg is invoked using the parameter ap that was
passed to a function that invoked the macro va_arg with the same
parameter (7.16). CON37-C
passed to a function that invoked the macro va_arg with the same
parameter (7.16)