You are previewing The CERT® C Secure Coding Standard.
O'Reilly logo
The CERT® C Secure Coding Standard

Book Description

“I’m an enthusiastic supporter of the CERT Secure Coding Initiative. Programmers have lots of sources of advice on correctness, clarity, maintainability, performance, and even safety. Advice on how specific language features affect security has been missing. The CERT® C Secure Coding Standard fills this need.”
–Randy Meyers, Chairman of ANSI C


“For years we have relied upon the CERT/CC to publish advisories documenting an endless stream of security problems. Now CERT has embodied the advice of leading technical experts to give programmers and managers the practical guidance needed to avoid those problems in new  applications and to help secure legacy systems. Well done!”

–Dr. Thomas Plum, founder of Plum Hall, Inc.

“Connectivity has sharply increased the need for secure, hacker-safe applications. By combining this CERT standard with other safety guidelines, customers gain all-round protection and approach the goal of zero-defect software.”
–Chris Tapp, Field Applications Engineer, LDRA Ltd.

“I’ve found this standard to be an indispensable collection of expert information on exactly how modern software systems fail in practice. It is the perfect place to start for establishing internal secure coding guidelines. You won’t find this information elsewhere, and, when it comes to software security, what you don’t know is often exactly what hurts you.”
–John McDonald, coauthor of The Art of Software Security Assessment


Software security has major implications for the operations and assets of organizations, as well as for the welfare of individuals. To create secure software, developers must know where the dangers lie. Secure programming in C can be more difficult than even many experienced  programmers believe.

This book is an essential desktop reference documenting the first official release of  The CERT® C Secure Coding Standard. The standard itemizes those coding errors that are the root causes of software vulnerabilities in C and prioritizes them by severity, likelihood of exploitation, and remediation costs. Each guideline provides examples of insecure code as well as secure, alternative implementations. If uniformly applied, these guidelines will eliminate the critical coding errors that lead to buffer overflows, format string vulnerabilities, integer  overflow, and other common software vulnerabilities.

Table of Contents

  1. Copyright
    1. Dedication
  2. The SEI Series in Software Engineering
  3. Preface
    1. The Demand for Secure Software
    2. Community Development Process
      1. The Wiki versus This Book
      2. Purpose
      3. Rules
      4. Recommendations
    3. Scope
      1. Rationale
      2. Issues Not Addressed
    4. Who Should Read This Book
    5. How This Book Is Organized
      1. Guideline Identifiers
      2. Noncompliant Code Examples and Compliant Solutions
      3. Risk Assessment
      4. References
      5. Related Vulnerabilities
        1. Vulnerability Metric
        2. Vulnerability ID
        3. Date Public
        4. Vulnerability Name
  4. Acknowledgments
    1. Contributors
    2. Reviewers
    3. Editors and Compositors
    4. Developers and Administrators
    5. Addison-Wesley
    6. Special Thanks
  5. About the Author
  6. 1. Using This Standard
    1. System Qualities
    2. Automatically Generated Code
    3. Compliance
      1. Source Code Compliance
      2. Tool Selection and Validation
      3. Levels
      4. Rules versus Recommendations
      5. Deviation Procedure
  7. 2. Preprocessor (PRE)
    1. PRE00-C. Prefer inline or static functions to function-like macros
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Noncompliant Code Example
      6. Compliant Solution
        1. Platform-Specific Details
      7. Exceptions
      8. Risk Assessment
      9. References
    2. PRE01-C. Use parentheses within macros around parameter names
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Exceptions
      4. Risk Assessment
      5. References
    3. PRE02-C. Macro replacement lists should be parenthesized
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Exceptions
      6. Risk Assessment
      7. References
    4. PRE03-C. Prefer type definitions to defines for encoding types
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    5. PRE04-C. Do not reuse a standard header file name
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    6. PRE05-C. Understand macro replacement when concatenating tokens or performing stringification
      1. Concatenating Tokens
      2. Stringification
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Noncompliant Code Example
      6. Compliant Solution
      7. Risk Assessment
      8. References
    7. PRE06-C. Enclose header files in an inclusion guard
      1. Compliant Solution
      2. Risk Assessment
      3. References
    8. PRE07-C. Avoid using repeated question marks
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. References
    9. PRE08-C. Guarantee that header file names are unique
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Exceptions
      4. Risk Assessment
      5. References
    10. PRE09-C. Do not replace secure functions with less secure functions
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    11. PRE10-C. Wrap multistatement macros in a do-while loop
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    12. PRE30-C. Do not create a universal character name through concatenation
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    13. PRE31-C. Never invoke an unsafe macro with arguments containing assignment, increment, decrement, volatile access, or function call
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Exceptions
      4. Risk Assessment
      5. References
  8. 3. Declarations and Initialization (DCL)
    1. DCL00-C. const-qualify immutable objects
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    2. DCL01-C. Do not reuse variable names in subscopes
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    3. DCL02-C. Use visually distinct identifiers
      1. Risk Analysis
      2. References
    4. DCL03-C. Use a static assertion to test the value of a constant expression
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Compliant Solution
      4. Risk Assessment
      5. References
    5. DCL04-C. Do not declare more than one variable per declaration
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Example
      4. Compliant Solution
      5. Exceptions
      6. Risk Assessment
      7. References
    6. DCL05-C. Use type definitions to improve code readability
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    7. DCL06-C. Use meaningful symbolic constants to represent literal values in program logic
      1. const-qualified Objects
      2. Enumeration Constants
      3. Object-Like Macros
      4. Summary
      5. Noncompliant Code Example
      6. Compliant Solution
      7. Noncompliant Code Example
      8. Compliant Solution (enum)
      9. Compliant Solution (sizeof)
      10. Noncompliant Code Example
      11. Compliant Solution
      12. Exceptions
      13. Risk Assessment
      14. References
    8. DCL07-C. Include the appropriate type information in function declarators
      1. Noncompliant Code Example (Non–Prototype-Format Declarators)
      2. Compliant Solution (Non–Prototype-Format Declarators)
      3. Noncompliant Code Example (Function Prototypes)
      4. Compliant Solution (Function Prototypes)
      5. Noncompliant Code Example (Function Pointers)
      6. Compliant Solution (Function Pointers)
      7. Risk Assessment
      8. References
    9. DCL08-C. Properly encode relationships in constant definitions
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. References
    10. DCL09-C. Declare functions that return an errno error code with a return type of errno_t
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    11. DCL10-C. Maintain the contract between the writer and caller of variadic functions
      1. Argument Processing
      2. Noncompliant Code Example
      3. Compliant Solution
      4. Noncompliant Code Example
      5. Compliant Solution
      6. Argument List Caveats
      7. Risk Assessment
      8. References
    12. DCL11-C. Understand the type issues associated with variadic functions
      1. Noncompliant Code Example (Type Interpretation Error)
      2. Compliant Solution (Type Interpretation Error)
      3. Noncompliant Code Example (Type Alignment Error)
      4. Compliant Solution (Type Alignment Error)
      5. Risk Assessment
      6. References
    13. DCL12-C. Implement abstract data types using opaque types
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    14. DCL13-C. Declare function parameters that are pointers to values not changed by the function as const
      1. Noncompliant Code Example
      2. Noncompliant Code Example
      3. Compliant Solution
      4. Noncompliant Code Example
      5. Compliant Solution
      6. Risk Assessment
      7. References
    15. DCL14-C. Do not make assumptions about the order of global variable initialization across translation units
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    16. DCL15-C. Declare objects that do not need external linkage with the storage-class specifier static
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    17. DCL30-C. Declare objects with appropriate storage durations
      1. Noncompliant Code Example (Static Variables)
      2. Compliant Solution (p with Block Scope)
      3. Compliant Solution (p with File Scope)
      4. Noncompliant Code Example (Return Values)
      5. Compliant Solution (Return Values)
      6. Risk Assessment
      7. References
    18. DCL31-C. Declare identifiers before using them
      1. Noncompliant Code Example (Implicit int)
      2. Compliant Solution
      3. Noncompliant Code Example (Implicit Function Declaration)
      4. Compliant Solution (Implicit Function Declaration)
      5. Noncompliant Code Example (Implicit Return Type)
      6. Compliant Solution (Implicit Return Type)
      7. Risk Assessment
      8. References
    19. DCL32-C. Guarantee that mutually visible identifiers are unique
      1. Noncompliant Code Example (Source Character Set)
      2. Compliant Solution (Source Character Set)
      3. Noncompliant Code Example (Universal Characters)
      4. Compliant Solution (Universal Characters)
      5. Risk Assessment
      6. References
    20. DCL33-C. Ensure that restrict-qualified source and destination pointers in function arguments do not reference overlapping objects
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    21. DCL34-C. Use volatile for data that cannot be cached
      1. Noncompliant Code Example
      2. Noncompliant Code Example
      3. Compliant Solution
      4. Risk Assessment
      5. References
    22. DCL35-C. Do not convert a function using a type that does not match the function definition
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    23. DCL36-C. Do not declare an identifier with conflicting linkage classifications
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
  9. 4. Expressions (EXP)
    1. EXP00-C. Use parentheses for precedence of operation
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Exceptions
      4. Risk Assessment
        1. Related Vulnerabilities
      5. References
    2. EXP01-C. Do not take the size of a pointer to determine the size of the pointed-to type
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    3. EXP02-C. Be aware of the short-circuit behavior of the logical AND and OR operators
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    4. EXP03-C. Do not assume the size of a structure is the sum of the sizes of its members
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    5. EXP04-C. Do not perform byte-by-byte comparisons between structures
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    6. EXP05-C. Do not cast away a const qualification
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Exceptions
      6. Risk Assessment
      7. References
    7. EXP06-C. Operands to the sizeof operator should not contain side effects
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    8. EXP07-C. Do not diminish the benefits of constants by assuming their values in expressions
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    9. EXP08-C. Ensure pointer arithmetic is used correctly
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. Reference
    10. EXP09-C. Use sizeof to determine the size of a type or variable
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    11. EXP10-C. Do not depend on the order of evaluation of subexpressions or the order in which side effects take place
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Exceptions
      4. Risk Assessment
      5. References
    12. EXP11-C. Do not apply operators expecting one type to data of an incompatible type
      1. Noncompliant Code Example (Integers versus Floating-Point Numbers)
      2. Compliant Solution (Integers versus Floating-Point Numbers)
      3. Noncompliant Code Example (Bit-Field Alignment)
      4. Compliant Solution (Bit-Field Alignment)
      5. Noncompliant Code Example (Bit-Field Overlap)
      6. Compliant Solution (Bit-Field Overlap)
      7. Risk Assessment
      8. References
    13. EXP12-C. Do not ignore values returned by functions
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Exceptions
      4. Risk Assessment
      5. References
    14. EXP30-C. Do not depend on order of evaluation between sequence points
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. References
    15. EXP31-C. Avoid side effects in assertions
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    16. EXP32-C. Do not cast away a volatile qualification
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    17. EXP33-C. Do not reference uninitialized memory
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Noncompliant Code Example
      5. Compliant Solution
      6. Compliant Solution
      7. Risk Assessment
      8. References
    18. EXP34-C. Ensure a null pointer is not dereferenced
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    19. EXP35-C. Do not access or modify the result of a function call after a subsequent sequence point
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    20. EXP36-C. Do not convert pointers into more strictly aligned pointer types
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    21. EXP37-C. Call functions with the arguments intended by the API
      1. Noncompliant Code Example (Function Pointers)
      2. Compliant Solution (Function Pointers)
      3. Noncompliant Code Example (Variadic Functions)
      4. Compliant Solution (Variadic Functions)
      5. Risk Assessment
        1. Related Vulnerabilities
      6. References
    22. EXP38-C. Do not call offsetof() on bit-field members or invalid types
      1. Noncompliant Code Example (Bit-Field Members)
      2. Compliant Solution (Bit-Field Members)
      3. Noncompliant Code Example (Invalid Structures)
      4. Risk Assessment
      5. References
  10. 5. Integers (INT)
    1. INT00-C. Understand the data model used by your implementation(s)
      1. <limits.h>
      2. <stdint.h>
      3. <inttypes.h>
      4. Noncompliant Code Example
      5. Compliant Solution
      6. Noncompliant Code Example
      7. Compliant Solution
      8. Risk Assessment
      9. References
    2. INT01-C. Use rsize_t or size_t for all integer values representing the size of an object
      1. Noncompliant Code Example
        1. sizeof(size_t) == sizeof(int)
        2. sizeof(size_t) > sizeof(int)
      2. Compliant Solution (TR 24731-1)
      3. Noncompliant Code Example
      4. Compliant Solution (TR 24731-1)
      5. Risk Assessment
      6. References
    3. INT02-C. Understand integer conversion rules
      1. Integer Promotions
      2. Integer Conversion Rank
      3. Usual Arithmetic Conversions
      4. Example
      5. Noncompliant Code Example (Comparison)
      6. Compliant Solution
      7. Risk Assessment
        1. Related Vulnerabilities
      8. References
    4. INT03-C. Use a secure integer library
      1. IntegerLib
      2. Risk Assessment
      3. References
    5. INT04-C. Enforce limits on integer values originating from untrusted sources
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    6. INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    7. INT06-C. Use strtol() or a related function to convert a string token to an integer
      1. Noncompliant Code Example
      2. Noncompliant Example
      3. Compliant Solution
      4. Risk Assessment
      5. References
    8. INT07-C. Use only explicitly signed or unsigned char type for numeric values
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Exceptions
      4. Risk Assessment
      5. References
    9. INT08-C. Verify that all integer values are in range
      1. Saturation Semantics
      2. Modwrap Semantics
      3. Restricted Range Usage
      4. Noncompliant Code Example
      5. Compliant Solution
      6. Risk Assessment
        1. Related Vulnerabilities
      7. References
    10. INT09-C. Ensure enumeration constants map to unique values
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    11. INT10-C. Do not assume a positive remainder when using the % operator
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    12. INT11-C. Take care when converting from pointer to integer or integer to pointer
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    13. INT12-C. Do not make assumptions about the type of a plain int bit-field when used in an expression
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    14. INT13-C. Use bitwise operators only on unsigned operands
      1. Noncompliant Code Example (Right Shift)
      2. Compliant Solution (Right Shift)
      3. Exceptions
      4. Risk Assessment
      5. References
    15. INT14-C. Avoid performing bitwise and arithmetic operations on the same data
      1. Noncompliant Code Example (Left Shift)
      2. Compliant Solution (Left Shift)
      3. Noncompliant Code Example (Right Shift)
      4. Compliant Solution (Right Shift)
      5. Risk Assessment
      6. References
    16. INT15-C. Use intmax_t or uintmax_t for formatted I/O on programmer-defined integer types
      1. Noncompliant Code Example (printf())
      2. Compliant Solution (printf())
      3. Noncompliant Code Example (scanf())
      4. Compliant Solution (scanf())
      5. Risk Assessment
      6. References
    17. INT30-C. Ensure that unsigned integer operations do not wrap
      1. Addition
        1. Noncompliant Code Example
        2. Compliant Solution
      2. Subtraction
        1. Noncompliant Code Example
        2. Compliant Solution
      3. Multiplication
        1. Noncompliant Code Example
        2. Compliant Solution
      4. Left-Shift Operator
        1. Noncompliant Code Example
        2. Compliant Solution
        3. Exceptions
        4. Risk Assessment
          1. Related Vulnerabilities
        5. References
    18. INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data
      1. Noncompliant Code Example (Unsigned to Signed)
      2. Compliant Solution (Unsigned to Signed)
      3. Noncompliant Code Example (Signed to Unsigned)
      4. Compliant Solution (Signed to Unsigned)
      5. Noncompliant Code Example (Signed, Loss of Precision)
      6. Compliant Solution (Signed, Loss of Precision)
      7. Noncompliant Code Example (Unsigned, Loss of Precision)
      8. Compliant Solution (Unsigned, Loss of Precision)
      9. Exceptions
      10. Risk Assessment
      11. References
    19. INT32-C. Ensure that operations on signed integers do not result in overflow
      1. Addition
        1. Noncompliant Code Example
        2. Compliant Solution (Two’s Complement)
        3. Compliant Solution (General)
      2. Subtraction
        1. Noncompliant Code Example
        2. Compliant Solution (Two’s Complement)
      3. Multiplication
        1. Noncompliant Code Example
        2. Compliant Solution
      4. Division
        1. Noncompliant Code Example
        2. Compliant Solution
      5. Modulo
        1. Noncompliant Code Example
        2. Compliant Solution
      6. Unary Negation
        1. Noncompliant Code Example
        2. Compliant Solution
      7. Left-Shift Operator
        1. Noncompliant Code Example
        2. Compliant Solution
        3. Risk Assessment
          1. Related Vulnerabilities
        4. References
    20. INT33-C. Ensure that division and modulo operations do not result in divide-by-zero errors
      1. Division
        1. Noncompliant Code Example
        2. Compliant Solution
      2. Modulo
        1. Noncompliant Code Example
        2. Compliant Solution
        3. Risk Assessment
        4. References
    21. INT34-C. Do not shift a negative number of bits or more bits than exist in the operand
      1. Noncompliant Code Example (Left Shift, Signed Type)
      2. Noncompliant Code Example (Left Shift, Unsigned Type)
      3. Compliant Solution (Left Shift, Unsigned Type)
      4. Noncompliant Code Example (Right Shift)
      5. Compliant Solution (Right Shift)
      6. Exceptions
      7. Risk Assessment
      8. References
    22. INT35-C. Evaluate integer expressions in a larger size before comparing or assigning to that size
      1. Noncompliant Code Example
      2. Compliant Solution (Upcast)
      3. Compliant Solution (Rearrange Expression)
      4. Noncompliant Code Example
      5. Compliant Solution
      6. Risk Assessment
      7. References
  11. 6. Floating Point (FLP)
    1. FLP00-C. Understand the limitations of floating-point numbers
      1. Risk Assessment
      2. References
    2. FLP01-C. Take care in rearranging floating-point expressions
      1. Risk Assessment
      2. References
    3. FLP02-C. Consider avoiding floating-point numbers when precise computation is needed
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    4. FLP03-C. Detect and handle floating-point errors
      1. Noncompliant Code Example
      2. Compliant Solution (C99)
      3. Compliant Solution (Windows)
      4. Compliant Solution (Windows SEH)
      5. Risk Assessment
      6. References
    5. FLP30-C. Do not use floating-point variables as loop counters
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. References
    6. FLP31-C. Do not call functions expecting real values with complex values
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    7. FLP32-C. Prevent or detect domain and range errors in math functions
      1. Domain Checking
      2. Range Checking
      3. Noncompliant Code Example (Domain Errors)
      4. Compliant Solution
      5. Noncompliant Code Example (Range Errors)
      6. Compliant Solution
      7. Noncompliant Code Example (Domain and Range Errors)
      8. Compliant Solution
      9. Risk Assessment
      10. References
    8. FLP33-C. Convert integers to floating point for floating-point operations
      1. Noncompliant Code Example
      2. Compliant Solution (Floating-Point Literal)
      3. Compliant Solution (Conversion)
      4. Exceptions
      5. Risk Assessment
      6. References
    9. FLP34-C. Ensure that floating-point conversions are within range of the new type
      1. Noncompliant Code Example (int-float)
      2. Compliant Solution (int-float)
      3. Noncompliant Code Example (Demotions)
      4. Compliant Solution (Demotions)
      5. Risk Assessment
      6. References
  12. 7. Arrays (ARR)
    1. ARR00-C. Understand how arrays work
      1. Risk Assessment
      2. References
    2. ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. References
    3. ARR02-C. Explicitly specify array bounds, even if implicitly defined by an initializer
      1. Noncompliant Code Example (Incorrect Size)
      2. Noncompliant Code Example (Implicit Size)
      3. Compliant Solution
      4. Risk Assessment
      5. References
    4. ARR30-C. Guarantee that array indices are within the valid range
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    5. ARR31-C. Use consistent array notation across all source files
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    6. ARR32-C. Ensure size arguments for variable length arrays are in a valid range
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    7. ARR33-C. Guarantee that copies are made into storage of sufficient size
      1. Noncompliant Code Example
      2. Compliant Solution (Bounds Checking)
      3. Compliant Solution (Dynamic Allocation)
      4. Risk Assessment
      5. Related Vulnerabilities
      6. References
    8. ARR34-C. Ensure that array types in expressions are compatible
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    9. ARR35-C. Do not allow loops to iterate beyond the end of an array
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. Related Vulnerabilities
      5. References
    10. ARR36-C. Do not subtract or compare two pointers that do not refer to the same array
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    11. ARR37-C. Do not add or subtract an integer to a pointer to a non-array object
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    12. ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution (Linear Address Space)
      5. Noncompliant Code Example
      6. Compliant Solution
      7. Risk Assessment
      8. Related Vulnerabilities
      9. References
  13. 8. Characters and Strings (STR)
    1. STR00-C. Represent characters using an appropriate type
      1. signed char and unsigned char
      2. “Plain” char
      3. int
      4. unsigned char
      5. wchar_t
      6. Risk Assessment
      7. References
    2. STR01-C. Adopt and implement a consistent plan for managing strings
      1. Risk Assessment
      2. References
    3. STR02-C. Sanitize data passed to complex subsystems
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
        1. Related Vulnerabilities
      6. References
    4. STR03-C. Do not inadvertently truncate a null-terminated byte string
      1. Noncompliant Code Example
      2. Compliant Solution (Adequate Space)
      3. Compliant Solution (TR 24731-1)
      4. Exceptions
      5. Risk Assessment
      6. References
    5. STR04-C. Use plain char for characters in the basic character set
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    6. STR05-C. Use pointers to const when referring to string literals
      1. Noncompliant Code Example (Narrow String Literal)
      2. Compliant Solution (Immutable Strings)
      3. Compliant Solution (Mutable Strings)
      4. Noncompliant Code Example (Wide String Literal)
      5. Compliant Solution (Immutable Strings)
      6. Compliant Solution (Mutable Strings)
      7. Risk Assessment
      8. References
    7. STR06-C. Do not assume that strtok() leaves the parse string unchanged
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    8. STR07-C. Use TR 24731 for remediation of existing string manipulation code
      1. Noncompliant Code Example
      2. Compliant Solution (Runtime)
      3. Compliant Solution (Partial Compile Time)
      4. Risk Assessment
      5. References
    9. STR08-C. Use managed strings for development of new string manipulation code
      1. Risk Assessment
      2. References
    10. STR30-C. Do not attempt to modify string literals
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. References
    11. STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator
      1. Noncompliant Code Example (Off-by-One Error)
      2. Compliant Solution (Off-by-One Error)
      3. Noncompliant Code Example (argv)
      4. Compliant Solution (argv)
      5. Compliant Solution (argv) (strcpy_s())
      6. Compliant Solution (argv) (memcpy())
      7. Compliant Solution (argv)
      8. Noncompliant Code Example (getenv())
      9. Compliant Solution
      10. Risk Assessment
      11. References
    12. STR32-C. Null-terminate byte strings as required
      1. Noncompliant Code Example (strncpy())
      2. Compliant Solution (Truncation)
      3. Compliant Solution (Copy without Truncation)
      4. Compliant Solution (strncpy_s())
      5. Noncompliant Code Example (realloc())
      6. Compliant Solution (realloc())
      7. Risk Assessment
      8. References
    13. STR33-C. Size wide character strings correctly
      1. Noncompliant Code Example (Improper Function Call)
      2. Noncompliant Code Example (Size Improperly Scaled)
      3. Compliant Solution
      4. Risk Assessment
      5. References
    14. STR34-C. Cast characters to unsigned types before converting to larger integer sizes
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    15. STR35-C. Do not copy data from an unbounded source to a fixed-length array
      1. Noncompliant Code Example (gets())
      2. Compliant Solution (fgets())
      3. Compliant Solution (gets_s())
      4. Noncompliant Code Example (getchar())
      5. Compliant Solution
      6. Noncompliant Code Example (scanf())
      7. Compliant Solution
      8. Risk Assessment
      9. References
    16. STR36-C. Do not specify the bound of a character array initialized with a string literal
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Exceptions
      4. Risk Assessment
      5. References
    17. STR37-C. Arguments to character-handling functions must be representable as an unsigned char
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
  14. 9. Memory Management (MEM)
    1. MEM00-C. Allocate and free memory in the same module at the same level of abstraction
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    2. MEM01-C. Store a new value in pointers immediately after free()
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Exceptions
      4. Risk Assessment
      5. References
    3. MEM02-C. Immediately cast the result of a memory allocation function call into a pointer to the allocated type
      1. Noncompliant Code Example
      2. Compliant Solution (Hand-Coded)
      3. Compliant Solution (Macros)
      4. Risk Assessment
      5. References
    4. MEM03-C. Clear sensitive information stored in reusable resources returned for reuse
      1. Noncompliant Code Example (free())
      2. Compliant Solution
      3. Noncompliant Code Example (realloc())
      4. Compliant Solution
      5. Risk Assessment
      6. References
    5. MEM04-C. Do not perform zero-length allocations
      1. Noncompliant Code Example (malloc())
      2. Compliant Solution
      3. Noncompliant Code Example (realloc())
      4. Compliant Solution
      5. Risk Assessment
      6. References
    6. MEM05-C. Avoid large stack allocations
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. References
    7. MEM06-C. Ensure that sensitive data is not written out to disk
      1. Noncompliant Code Example
      2. Compliant Solution (POSIX)
      3. Compliant Solution (Privileged Process, POSIX)
      4. Compliant Solution (Privileged Process, Windows)
      5. Risk Assessment
      6. References
    8. MEM07-C. Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    9. MEM08-C. Use realloc() only to resize dynamically allocated arrays
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    10. MEM09-C. Do not assume memory allocation routines initialize memory
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    11. MEM10-C. Use a pointer validation function
      1. Noncompliant Code Example
      2. Compliant Solution (validation)
      3. Compliant Solution (assertion)
      4. Risk Assessment
      5. References
    12. MEM30-C. Do not access freed memory
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. References
    13. MEM31-C. Free dynamically allocated memory exactly once
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    14. MEM32-C. Detect and handle memory allocation errors
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
        1. Related Vulnerabilities
      6. References
    15. MEM33-C. Use the correct syntax for flexible array members
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    16. MEM34-C. Only free memory allocated dynamically
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    17. MEM35-C. Allocate sufficient memory for an object
      1. Noncompliant Code Example (Integer Overflow)
      2. Compliant Solution (Integer Overflow)
      3. Noncompliant Code Example (Range Checking)
      4. Compliant Solution (Range Checking)
      5. Noncompliant Code Example (Size Calculation)
      6. Compliant Solution (Size Calculation)
      7. Risk Assessment
      8. References
  15. 10. Input/Output (FIO)
    1. FIO00-C. Take care when creating format strings
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    2. FIO01-C. Be careful using functions that use file names for identification
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example (POSIX)
      4. Compliant Solution (POSIX)
      5. Risk Assessment
      6. References
    3. FIO02-C. Canonicalize path names originating from untrusted sources
      1. Noncompliant Code Example
      2. Compliant Solution (POSIX)
      3. Noncompliant Code Example (POSIX)
      4. Implementation Details
        1. Linux
        2. Solaris
      5. Compliant Solution (glibc)
      6. Noncompliant Code Example (Windows)
      7. Compliant Solution (Windows)
      8. Risk Assessment
      9. References
    4. FIO03-C. Do not make assumptions about fopen() and file creation
      1. Noncompliant Code Example (fopen())
      2. Noncompliant Code Example (fopen_s(), ISO/IEC TR 24731-1)
      3. Compliant Solution (open(), POSIX)
      4. Compliant Solution (fopen(), GNU)
      5. Compliant Solution (fdopen(), POSIX)
      6. Risk Assessment
      7. References
    5. FIO04-C. Detect and handle input and output errors
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    6. FIO05-C. Identify files using multiple file attributes
      1. Noncompliant Code Example (Reopen)
      2. Compliant Solution (POSIX) (device / i-node)
      3. Compliant Solution (POSIX) (Open Only Once)
      4. Noncompliant Code Example (Owner)
      5. Compliant Solution (POSIX) (Owner)
      6. Risk Assessment
      7. References
    7. FIO06-C. Create files with appropriate access permissions
      1. Noncompliant Code Example (fopen())
      2. Implementation Details
      3. Compliant Solution (fopen_s(), ISO/IEC TR 24731-1)
      4. Noncompliant Code Example (open(), POSIX)
      5. Compliant Solution (open(), POSIX)
      6. Risk Assessment
      7. References
    8. FIO07-C. Prefer fseek() to rewind()
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    9. FIO08-C. Take care when calling remove() on an open file
      1. Noncompliant Code Example
      2. Compliant Solution (POSIX)
      3. Risk Assessment
      4. References
    10. FIO09-C. Be careful with binary data when transferring data across systems
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    11. FIO10-C. Take care when using the rename() function
      1. Preserve Existing Destination File
        1. Noncompliant Code Example (POSIX)
        2. Compliant Solution (POSIX)
        3. Compliant Solution (Windows)
      2. Remove Existing Destination File
        1. Noncompliant Code Example (Windows)
        2. Compliant Solution (Windows)
        3. Compliant Solution (POSIX)
      3. Portable Behavior
        1. Compliant Solution (Remove Existing Destination File)
        2. Compliant Solution (Preserve Existing Destination File)
        3. Risk Assessment
        4. References
    12. FIO11-C. Take care when specifying the mode parameter of fopen()
      1. Risk Assessment
      2. References
    13. FIO12-C. Prefer setvbuf() to setbuf()
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    14. FIO13-C. Never push back anything other than one read character
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. Reference
    15. FIO14-C. Understand the difference between text mode and binary mode with file streams
      1. Text Streams
        1. Representation
        2. fseek()
        3. ungetc()
      2. Binary Streams
        1. Representation
        2. fseek()
        3. ungetc()
      3. Risk Assessment
      4. References
    16. FIO15-C. Ensure that file operations are performed in a secure directory
      1. Noncompliant Code Example
      2. Compliant Solution (POSIX)
      3. Risk Assessment
      4. References
    17. FIO16-C. Limit access to files by creating a jail
      1. Noncompliant Code Example
      2. Compliant Solution (UNIX)
      3. Risk Assessment
      4. References
    18. FIO30-C. Exclude user input from format strings
      1. Noncompliant Code Example
      2. Compliant Solution (fputs())
      3. Compliant Solution (fprintf())
      4. Noncompliant Code Example (POSIX)
      5. Compliant Solution (POSIX)
      6. Risk Assessment
        1. Related Vulnerabilities
      7. References
    19. FIO31-C. Do not simultaneously open the same file multiple times
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    20. FIO32-C. Do not perform operations on devices that are only appropriate for files
      1. Noncompliant Code Example
      2. Compliant Solution (POSIX)
      3. Compliant Solution (Windows)
      4. Risk Assessment
      5. References
    21. FIO33-C. Detect and handle input output errors resulting in undefined behavior
      1. Noncompliant Code Example (fgets())
      2. Compliant Solution (fgets())
      3. Noncompliant Code Example (fopen())
      4. Compliant Solution (fopen())
      5. Noncompliant Code Example (snprintf())
      6. Compliant Solution (snprintf())
      7. Risk Assessment
      8. References
    22. FIO34-C. Use int to capture the return value of character I/O functions
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Exceptions
      4. Risk Assessment
      5. References
    23. FIO35-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char)
      1. Noncompliant Code Example
      2. Compliant Solution (Portable to Rare Systems)
      3. Compliant Solution (Explicitly Nonportable)
      4. Exceptions
      5. Priority and Level
      6. Risk Assessment
      7. References
    24. FIO36-C. Do not assume a new-line character is read when using fgets()
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    25. FIO37-C. Do not assume character data has been read
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    26. FIO38-C. Do not use a copy of a FILE object for input and output
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    27. FIO39-C. Do not alternately input and output from a stream without an intervening flush or positioning call
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    28. FIO40-C. Reset strings on fgets() failure
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Exceptions
      4. Risk Assessment
      5. References
    29. FIO41-C. Do not call getc() or putc() with stream arguments that have side effects
      1. Noncompliant Code Example (getc())
      2. Compliant Solution (getc())
      3. Noncompliant Code Example (putc())
      4. Compliant Solution (putc())
      5. Risk Assessment
      6. References
    30. FIO42-C. Ensure files are properly closed when they are no longer needed
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Compliant Solution (POSIX)
      4. Risk Assessment
      5. References
    31. FIO43-C. Do not create temporary files in shared directories
      1. Unique and Unpredictable File Names
      2. Exclusive Access
      3. Removal Before Termination
      4. Noncompliant Code Example (fopen()/open() with tmpnam())
      5. Noncompliant Code Example (tmpnam_s(), ISO/IEC TR 24731-1)
      6. Noncompliant Code Example (mktemp()/open(), POSIX)
      7. Noncompliant Code Example (tmpfile())
      8. Noncompliant Code Example (tmpfile_s(), ISO/IEC TR 24731-1)
      9. Compliant Solution (mkstemp(), POSIX)
      10. Implementation Details
      11. Exceptions
      12. Risk Assessment
      13. References
    32. FIO44-C. Only use values for fsetpos() that are returned from fgetpos()
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
  16. 11. Environment (ENV)
    1. ENV00-C. Do not store the pointer to the string returned by getenv()
      1. Noncompliant Code Example
      2. Compliant Solution (Windows)
      3. Compliant Solution (Windows)
      4. Compliant Solution (POSIX)
      5. Compliant Solution
      6. Risk Assessment
      7. References
    2. ENV01-C. Do not make assumptions about the size of an environment variable
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    3. ENV02-C. Beware of multiple environment variables with the same effective name
      1. Duplicate Environment Variable Detection (POSIX)
      2. Noncompliant Code Example
      3. Compliant Solution
      4. Risk Assessment
      5. References
    4. ENV03-C. Sanitize the environment when invoking external programs
      1. Noncompliant Code Example (POSIX, ls)
      2. Compliant Solution (POSIX, ls)
      3. Risk Assessment
      4. References
    5. ENV04-C. Do not call system() if you do not need a command processor
      1. Noncompliant Code Example
      2. Compliant Solution (POSIX)
      3. Noncompliant Code Example (POSIX)
      4. Compliant Solution (POSIX)
      5. Risk Assessment
        1. Related Vulnerabilities
      6. References
    6. ENV30-C. Do not modify the string returned by getenv()
      1. Noncompliant Code Example
      2. Compliant Solution (Local Copy)
      3. Compliant Solution (Modifying the Environment in POSIX)
      4. Risk Assessment
      5. References
    7. ENV31-C. Do not rely on an environment pointer following an operation that may invalidate it
      1. Noncompliant Code Example (POSIX)
      2. Compliant Solution (POSIX)
      3. Noncompliant Code Example (Windows)
      4. Compliant Solution (Windows)
      5. Compliant Solution
      6. Risk Assessment
      7. References
    8. ENV32-C. No atexit handler should terminate in any way other than by returning
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. References
  17. 12. Signals (SIG)
    1. SIG00-C. Mask signals handled by noninterruptible signal handlers
      1. Noncompliant Code Example
      2. Compliant Solution (POSIX)
      3. Risk Assessment
      4. References
    2. SIG01-C. Understand implementation-specific details regarding signal handler persistence
      1. Persistent Handlers
        1. Noncompliant Code Example
        2. Noncompliant Code Example
        3. Compliant Solution (POSIX)
      2. Nonpersistent Handlers
        1. Noncompliant Code Example (UNIX)
        2. Compliant Solution (UNIX and Windows)
        3. Compliant Solution (POSIX)
        4. Risk Assessment
        5. References
    3. SIG02-C. Avoid using signals to implement normal functionality
      1. Noncompliant Code Example
      2. Compliant Solution (POSIX)
      3. Compliant Solution (Windows)
      4. Noncompliant Code Example
      5. Compliant Solution
      6. Risk Assessment
      7. References
    4. SIG30-C. Call only asynchronous-safe functions within signal handlers
      1. Noncompliant Code Example
      2. POSIX
      3. OpenBSD
      4. Compliant Solution
      5. Risk Assessment
        1. Related Vulnerabilities
      6. References
    5. SIG31-C. Do not access or modify shared objects in signal handlers
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    6. SIG32-C. Do not call longjmp() from inside a signal handler
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
        1. Related Vulnerabilities
      4. References
    7. SIG33-C. Do not recursively invoke the raise() function
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Compliant Solution (POSIX)
      4. Risk Assessment
      5. References
    8. SIG34-C. Do not call signal() from within interruptible signal handlers
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Compliant Solution (POSIX)
      4. Compliant Solution (Windows)
      5. Exceptions
      6. Risk Assessment
      7. References
  18. 13. Error Handling (ERR)
    1. ERR00-C. Adopt and implement a consistent and comprehensive error-handling policy
      1. Risk Assessment
      2. References
    2. ERR01-C. Use ferror() rather than errno to check for FILE stream errors
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    3. ERR02-C. Avoid in-band error indicators
      1. Noncompliant Code Example
      2. Compliant Solution (sprintf_m())
      3. Exceptions
      4. Noncompliant Code Example (TR 24731-1)
      5. Compliant Solution (TR 24731-1)
      6. Risk Assessment
      7. References
    4. ERR03-C. Use runtime-constraint handlers when calling functions defined by TR 24731-1
      1. Noncompliant Code Example (TR 24731-1)
      2. Compliant Solution (TR 24731-1)
      3. Compliant Solution (Visual Studio 2008/.NET Framework 3.5)
      4. Risk Assessment
      5. References
    5. ERR04-C. Choose an appropriate termination strategy
      1. exit()
      2. return from main()
      3. _Exit()
      4. abort()
      5. Summary
      6. Noncompliant Code Example
      7. Compliant Solution
      8. Risk Assessment
      9. References
    6. ERR05-C. Application-independent code should provide error detection without dictating error handling
      1. Noncompliant Code Example
      2. Compliant Solution (Return Value)
      3. Compliant Solution (Address Argument)
      4. Compliant Solution (Global Error Indicator)
      5. Compliant Solution (setjmp() and longjmp())
      6. Summary
      7. Risk Assessment
      8. References
    7. ERR06-C. Understand the termination behavior of assert() and abort()
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    8. ERR30-C. Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure
      1. Library Functions and errno
      2. Noncompliant Code Example (strtoul())
      3. Compliant Solution (strtoul())
      4. Noncompliant Code Example (setlocale())
      5. Compliant Solution (setlocale())
      6. Noncompliant Code Example (fopen())
      7. Compliant Solution (Windows)
      8. Compliant Solution (POSIX)
      9. Risk Assessment
      10. References
    9. ERR31-C. Do not redefine errno
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    10. ERR32-C. Do not rely on indeterminate values of errno
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example (POSIX)
      4. Compliant Solution (POSIX)
      5. Risk Assessment
      6. References
  19. 14. Miscellaneous (MSC)
    1. MSC00-C. Compile cleanly at high warning levels
      1. Exceptions
      2. Risk Assessment
      3. References
    2. MSC01-C. Strive for logical completeness
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
        1. Historical Discussion
      5. Risk Assessment
      6. References
    3. MSC02-C. Avoid errors of omission
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. References
    4. MSC03-C. Avoid errors of addition
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Risk Assessment
      6. References
    5. MSC04-C. Use comments consistently and in a readable fashion
      1. Noncompliant Code Example
      2. Compliant Solution (Preprocessor)
      3. Compliant Solution (Compiler)
      4. Noncompliant Code Example
      5. Compliant Solution
      6. Risk Assessment
      7. References
    6. MSC05-C. Do not manipulate time_t typed values directly
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    7. MSC06-C. Be aware of compiler optimization when dealing with sensitive data
      1. Noncompliant Code Example (memset())
      2. Noncompliant Code Example (Touching Memory)
      3. Noncompliant Code Example (Windows)
      4. Compliant Solution (Windows)
      5. Compliant Solution (Windows)
      6. Compliant Solution
      7. Risk Assessment
      8. References
    8. MSC07-C. Detect and remove dead code
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Noncompliant Code Example
      4. Compliant Solution
      5. Exceptions
      6. Risk Assessment
      7. References
    9. MSC08-C. Library functions should validate their parameters
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    10. MSC09-C. Character encoding: use subset of ASCII for safety
      1. File Names
      2. Noncompliant Code Example (File Name)
      3. Compliant Solution (File Name)
      4. Noncompliant Code Example (File Name)
      5. Compliant Solution (File Name)
      6. Risk Assessment
      7. References
    11. MSC10-C. Character encoding: UTF-8-related issues
      1. Security-Related Issues
        1. Accept Only the Shortest Form
        2. Handling Invalid Inputs
        3. Broken Surrogates
      2. Risk Assessment
      3. References
    12. MSC11-C. Incorporate diagnostic tests using assertions
      1. Risk Assessment
      2. References
    13. MSC12-C. Detect and remove code that has no effect
      1. Noncompliant Code Example (Assignment)
      2. Compliant Solution (Assignment)
      3. Noncompliant Code Example (Dereference)
      4. Compliant Solution (Dereference)
      5. Compliant Solution (Memory-Mapped Devices)
      6. Risk Assessment
      7. References
    14. MSC13-C. Detect and remove unused values
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    15. MSC14-C. Do not introduce unnecessary platform dependencies
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    16. MSC15-C. Do not depend on undefined behavior
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
        1. Related Vulnerabilities
      4. References
    17. MSC30-C. Do not use the rand() function for generating pseudorandom numbers
      1. Noncompliant Code Example
      2. Compliant Solution (POSIX)
      3. Compliant Solution (Windows)
      4. Risk Assessment
      5. References
    18. MSC31-C. Ensure that return values are compared against the proper type
      1. Noncompliant Code Example (time_t)
      2. Compliant Solution
      3. Noncompliant Code Example (size_t)
      4. Compliant Solution
      5. Risk Assessment
      6. References
  20. POSIX (POS)
    1. POS00-C. Avoid race conditions with multiple threads
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    2. POS01-C. Check for the existence of links
      1. Noncompliant Code Example
      2. Compliant Solution (Linux 2.1.126+, FreeBSD, Solaris 10, POSIX.1-2008, O_NOFOLLOW)
      3. Compliant Solution (lstat-fopen-fstat)
        1. Hard Links
      4. Risk Assessment
      5. References
    3. POS02-C. Follow the principle of least privilege
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    4. POS30-C. Use the readlink() function properly
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    5. POS31-C. Do not unlock or destroy another thread’s mutex
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    6. POS32-C. Include a mutex when using bit-fields in a multithreaded environment
      1. Noncompliant Code Example (Bit Field)
      2. Compliant Solution (Bit-Field)
      3. Risk Assessment
      4. References
    7. POS33-C. Do not use vfork()
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    8. POS34-C. Do not call putenv() with a pointer to an automatic variable as the argument
      1. Noncompliant Code Example
      2. Compliant Solution (putenv())
      3. Compliant Solution (setenv())
      4. Risk Assessment
      5. References
    9. POS35-C. Avoid race conditions while checking for the existence of a symbolic link
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    10. POS36-C. Observe correct revocation order while relinquishing privileges
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Risk Assessment
      4. References
    11. POS37-C. Ensure that privilege relinquishment is successful
      1. Noncompliant Code Example
      2. Compliant Solution
      3. Compliant Solution
      4. Risk Assessment
      5. References
  21. Glossary
  22. References