MISRA C 2012 - Amendment 1 Additional security guidelines for MISRA C 2012.pdf

MISRA C:2012 Amendment 1 Additional security guidelines for MISRA C:2012 April 2016

First published April 2016 by HORIBA MIRA Limited Watling treet !uneat"n War#i$%shire &'10 0() )* ###+misra+"rg+u% , HORIBA MIRA Limited- 2016+ .MIRA/- .MIRA &/ and the triangle l"g" are registered trademar%s "#ned by HORIBA MIRA Ltd- held "n behal " the MIRA &"ns"rtium+ Other pr"du$t "r brand names are trademar%s "r registered trademar%s " their respe$tie h"lders and n" end"rsement "r re$"mmendati"n " these pr"du$ts by MIRA is implied+ All rights resered+ !" part " this publi$ati"n may be repr"du$ed- st"red in a retrieal retrieal system "r transmitted transmitted in any "rm "r by any means- ele$tr"ni$- me$hani$al "r ph"t"$"pying- re$"rding "r "ther#ise #ith"ut the pri"r #ritten permissi"n " the ublisher+ IB! 3451306700168 9F British Library Cataloguing in ublication !ata A $atal"gue re$"rd "r this b""% is aailable r"m the British Library

MISRA C:2012 Amendment 1 Additional security guidelines for MISRA C:2012 April 2016

i

MISRA Mission Statement We pr"ide #"rldleading best pra$ti$e guidelines "r the sae and se$ure appli$ati"n " b"th embedded $"ntr"l systems and standal"ne s"t#are+ MIRA is a $"llab"rati"n bet#een manua$turers- $"mp"nent suppliers and engineering $"nsultan$ies #hi$h see%s t" pr"m"te best pra$ti$e in deel"ping saety and se$urityrelated ele$tr"ni$ systems and "ther s"t#areintensie appli$ati"ns+ (" this end MIRA publishes d"$uments that pr"ide a$$essible in"rmati"n "r engineers and management- and h"lds eents t" permit the e:$hange " e:perien$es bet#een pra$titi"ners+

!isclaimer Adherence to the requirements of this document does not in itself ensure error-free robust software or guarantee portability and re-use. Compliance with the requirements of this document, or any other standard, does not of itself confer immunity from legal obligations.

ii

"ore#ord (he isi"n " MIRA & is set "ut in the "pening paragraph " the ;uidelines< (he MIRA & ;uidelines de=ne a subset " the & la nguage in #hi$h the "pp"rtunity t" ma%e mista%es is either rem"ed "r redu$ed+ Many standards "r the deel"pment " safety-related software re>uire- "r re$"mmend- the use " a language subset- and this $an als" be used t" deel"p any appli$ati"n #ith high integrity or high reliability requirements+

)n"rtunately- many pe"ple "$us "n the safety-related software reeren$e- and a per$epti"n e:ists that MIRA & is "nly safety-related and n"t security-related + ubse>uent t" the publi$ati"n " MIRA &<2012- IO?I@& (&1?&22?W;17 the $"mmittee resp"nsible "r maintaining the & tandardC published their "#n & language e$urity ;uidelines- as IO?I@& 14361<2018+ Addendum 2 t" MIRA &<2012 sets "ut the $"erage by MIRA &<2012 " IO?I@& 14361<2018 and Dusti=es the ie#p"int that MIRA & is e>ually appli$able in a security-related enir"nment as it is in a safety-related "ne+ (he #"r% t" $reate that matri: highlighted a small number " areas #here MIRA & $"uld be enhan$ed+ (his Amendment t" MIRA &<2012 sets "ut a small number " additi"nal guidelines- t" impr"e the $"erage " the se$urity $"n$erns highlighted by the IO & e$ure ;uidelines+ eeral " these address spe$i=$ issues pertaining t" the use " untrust#"rthy data- a #ell%n"#n se$urity ulnerability+ (hese additi"nal ;uidelines e:tend MIRA &<2012 and I en$"urage all users- and all "rganiEati"ns- t" $"nsider ad"pti"n at the earliest "pp"rtunity+

Andre# Ban%s FB& &I( &hairman- MIRA & W"r%ing ;r"up

iii

Ac$no#ledgements (he MIRA $"ns"rtium #"uld li%e t" than% the "ll"#ing indiiduals "r their signi=$ant $"ntributi"n t" the #riting " this d"$ument< Andre# Ban%s

FraEer!ash Resear$h Ltd ? Intuitie &"nsulting

Mi%e Hennell

L9RA Ltd

&lie yg"tt

&"lumbus &"mputing Ltd

&hris (app

L9RA Ltd

LiE Whiting

L9RA Ltd

(he MIRA $"ns"rtium als" #ishes t" a$%n"#ledge $"ntributi"ns r"m the "ll"#ing members " the MIRA & W"r%ing ;r"up during the deel"pment and reie# pr"$ess< Fuli" Ba$$aglini

r"gramming Resear$h Ltd

9ae Banham

R"llsR"y$e pl$

Mar% Bradbury

Independent &"nsultant F"rmerly Aer" @ngine &"ntr"lsC

ill Britt"n

r"gramming Resear$h Ltd

&hris Hills

haedrus ystems Ltd

(he MIRA $"ns"rtium als" #ishes t" a$%n"#ledge $"ntributi"ns r"m the "ll"#ing indiiduals during the deel"pment and reie# pr"$ess< 9aid Ward

i

HORIBA MIRA Ltd

Contents 1

2

!e# dire$ties

1

1+7

1

&"de design

!e# rules

8

2+12 @:pressi"ns

8

2+21 tandard libraries

7

2+22 Res"ur$es

12

8

&hanges t" e:isting rules

14

7

Reeren$es

15

Appendi: A

ummary " guidelines

13

Appendi: B

;uideline attributes

21



1 %e# directi&es 1'(

Code design

9ir 7+17

(he alidity " alues re$eied r"m e:ternal s"ur$es shall be $he$%ed &30 )nde=ned 1G- 13- 26- 80- 81- 82- 37 &33 )nde=ned 1G- 16- 88- 70- 787G- 75- 73- 118

Category

Re>uired

A))lies to

&30- &33

Am)li*cation .@:ternal s"ur$es/ in$lude data< ●

Read r"m a =le

●

Read r"m an enir"nment ariable

●

Resulting r"m user input

●

Re$eied "er a $"mmuni$ati"ns $hannel+

Rationale A pr"gram has n" $"ntr"l "er the alues gien t" data "riginating r"m e:ternal s"ur$es+ (he alues may there"re be inalid- either as the result " err"rs "r due t" mali$i"us m"di=$ati"n by an e:ternal agent+ 9ata r"m e:ternal s"ur$es shall there"re be alidated be"re it is used+ In the se$urity d"main- e:ternal s"ur$es " data are usually regarded as untrusted as they may hae been m"di=ed by s"me"ne trying t" harm "r gain $"ntr"l " the pr"gram and?"r system it is running "n su$h data needs t" be alidated be"re it $an be used saely+ In the saety d"main- e:ternal s"ur$es are regarded as .suspi$i"us/ and alues "btained r"m them re>uire alidati"n+ In b"th d"mains- data r"m an e:ternal s"ur$e shall be tested t" ensure that its alue respe$ts all the $"nstraints pla$ed "n its use i+e+ its alue is n"t harmulC- een i the alue $ann"t be pr"en t" be $"rre$t+ F"r e:ample< ●

A alue used t" $"mpute an array inde: shall n"t result in an array b"unds err"r

●

A alue used t" $"ntr"l a l""p shall n"t $ause e:$essie e+g+ in=niteC i terati"n

●

A alue used t" $"mpute a diis"r shall n"t result in diisi"n by Eer"

●

●

A alue used t" $"mpute an am"unt " dynami$ mem"ry shall n"t result in e:$essie mem"ry all"$ati"n A string used as a >uery t" an JL database shall be $he$%ed t" ensure that it d"es n"t in$lude a ; $hara$ter+

1

S e c t i o n 1 : % e # d i r e c t i & e s

2

+,am)le (he "ll"#ing e:ample is n"n$"mpliant as there is n" $he$% made t" ensure that a string resulting r"m user input is null terminated+ (his may lead t" an array b"unds err"r- $"mm"nly %n"#n as a buKer "errun- #hen the string is "utput thr"ugh the $all t" printf + void f1( void ) { char input [ 128 ]; ( void ) scanf ( "%128c", input ); ( void ) printf ( "%s", input ); 

/* Non-cop!iant */

2 %e# rules 2'12 +,)ressions Rule 12+G

(he sizeof "perat"r shall n"t hae an "perand #hi$h is a un$ti"n parameter de$lared as .array " type/

Category

Mandat"ry

Analysis

9e$idable- ingle (ranslati"n )nit

A))lies to

&30- &33

Am)li*cation (he un$ti"n parameter # in void f ( int$2t #[ & ] ) is de$lared as .array " type/+

Rationale (he sizeof "perat"r $an be used t" determine the number " elements in an array #< si't arrai' + si'of ( # ) / si'of ( #[  ] );

(his #"r%s as e:pe$ted #hen # is an identi=er that designates an array- as it has type .array " type/+ It d"es n"t .degenerate/ t" a p"inter and si'of ( # ) returns the siEe " the array+ H"#eer- this is n"t the $ase #hen # is a un$ti"n parameter+ (he tandard states that a un$ti"n parameter neer has type .array " type/ and a un$ti"n parameter de$lared as an array #ill .degenerate/ t" .p"inter t" type/+ (his means that si'of ( # ) is e>uialent t" si'of ( int$2t * )- #hi$h d"es n"t return the siEe " an array+

+,am)le int$2t !.#[] + { 1, 2, $, &,  ; void f ( int$2t #[ & ] ) { /* * 0h fo!!oin is non-cop!iant as it a!as ivs th sa ansr, * irrspctiv of th nu.r of .rs that appar to . in th arra * (& in this cas), .caus # has tp int$2t * and not int$2t[ & ] * #s si'of ( int$2t * ) is oftn th sa as si'of ( int$2t ), * nu3!nts is !i4! to a!as hav th va!u 1 */ uint$2t nu3!nts + si'of ( # ) / si'of ( int$2t ); /* * 0h fo!!oin is cop!iant as nu3!nts!.# i!! . ivn th * 5pctd va!u of  */ uint$2t nu3!nts!.# + si'of ( !.# ) / si'of ( !.#[  ] ); 

8

S e c t i o n 2 : % e # r u l e s

2'21 Standard libraries Rule 21+18 Any alue passed t" a un$ti"n in 6ctph7 shall be representable as an unsigned char "r be the alue 39 &30 )nde=ned 68- &33 )nde=ned 104 Category

Mandat"ry

Analysis

)nde$idable- ystem

A))lies to

&30- &33

Rationale (he releant un$ti"ns r"m 6ctph7 are de=ned t" ta%e an int argument #here the e:pe$ted alue is either in the range " an unsigned char "r is a negatie alue e>uialent t" 39+ (he use " any "ther alues results in undened behaviour +

+,am)le Note (he int $asts in the "ll"#ing e:ample are re>uired t" $"mply #ith Rule 10+8+ .oo!t f ( uint8t a ) { rturn ( isdiit ( ( int$2t ) a )  isa!pha ( ( int$2t ) <.< )  is!or ( 39 )  isa!pha ( 2= ) ); 

/* /* /* /*

:op!iant :op!iant :op!iant Non-cop!iant

*/ */ */ */

See also Rule 10+8

Rule 21+17 (he tandard Library un$ti"n memcmp shall n"t be used t" $"mpare null terminated strings Category

Re>uired

Analysis


A))lies to

&30- &33

Am)li*cation F"r the purp"ses " this rule- .null terminated strings/ are< ●

tring literals

●

Arrays haing essentially character type #hi$h $"ntain a null character +

Rationale (he tandard Library un$ti"n int cp ( const void *s1, const void *s2, si't n );

7

per"rms a byte by byte $"mparis"n " the =rst n bytes " the t#" "bDe$ts p"inted at by s1 and s2+

I memcmp is used t" $"mpare t#" strings and the length " either is less than n- then they may $"mpare as diKerent een #hen they are l"gi$ally the same i+e+ ea$h has the same se>uen$e " $hara$ters be"re the null terminat"rC as the $hara$ters ater a null terminat"r #ill be i n$luded in the $"mparis"n een th"ugh they d" n"t "rm part " the string+

+,am)le 5trn char .uffr1[ 12 ]; 5trn char .uffr2[ 12 ]; void f1 ( void ) { ( void ) strcp ( .uffr1, "a.c" ); ( void ) strcp ( .uffr2, "a.c" );

s e l u r # e % : 2 n o i t c e S

/* 0h fo!!oin us of cp is non-cop!iant */ if ( cp ( .uffr1, .uffr2, si'of ( .uffr1 ) ) >+  ) { /* * 0h strins stord in .uffr1 and .uffr 2 ar rportd to . * diffrnt, .ut this a actua!! . du to diffrncs in th * uninitia!isd charactrs stord aftr th nu!! trinators */   /* 0h fo!!oin dfinition vio!ats othr uid!ins */ unsind char hadrtart[ = ] + { + pac4t )  ( cp( pac4t, hadrtart, = ) ++  ) ) { /* * :oparison of va!us havin ssntia!! unsind tp rports that * contnts ar th sa #n nu!! trinator is sip! tratd as a * 'ro va!u and an diffrncs .ond it ar sinificant */  

See also Rule 21+1G- Rule 21+16

G

S e c t i o n 2 : % e # r u l e s

Rule 21+1G (he p"inter arguments t" the tandard Library un$ti"ns memcpy memmove and memcmp shall be p"inters t" >uali=ed "r un>uali=ed ersi"ns " $"mpatible types Category

Re>uired

Analysis


A))lies to

&30- &33

Rationale (he tandard Library un$ti"ns void * cp ( void * rstrict s1, const void * rstrict s2, si't n ); void * ov ( void *s1, const void *s2, si't n ); int cp ( const void *s1, const void *s2, si't n );

per"rm a byte by byte $"py- m"e "r $"mparis"n " the =rst n bytes " the t#" "bDe$ts p"inted at by s1 and s2+ An attempt t" $all "ne " these un$ti"ns #ith arguments #hi$h are p"inters t" diKerent types may indi$ate a mista%e+

+,am)le /* * As it intntiona! to on! cop part of
See also Rule 21+17- Rule 21+16

Rule 21+16 (he p"inter arguments t" the tandard Library un$ti"n memcmp shall p"int t" either a p"inter type- an essentially signed type- an essentially unsigned type- an essentially !oolean type "r an essentially enum type &33 )nspe$i=ed 3 Category

Re>uired

Analysis


A))lies to

&30- &33

Rationale (he tandard Library un$ti"n int cp ( const void *s1, const void *s2, si't n );

per"rms a byte by byte $"mparis"n " the =rst n bytes " the t#" "bDe$ts p"inted at by s1 and s2+

6

tru$tures shall n"t be $"mpared using memcmp as it may in$"rre$tly indi$ate that t#" stru$tures are n"t e>ual- een #hen their members h"ld the same alues+ tru$tures may $"ntain padding #ith an indeterminate alue bet#een their members and memcmp #ill in$lude this in its $"mparis"n+ It $ann"t be assumed that the padding #ill be e>ual- een #hen the alues " the stru$ture members are the same+ )ni"ns hae similar $"n$erns al"ng #ith the added $"mpli$ati"n that they may in$"rre$tly be rep"rted as haing the same alue #hen the representati"n " diKerent- "erlapping members are $"in$identally the same+ ObDe$ts #ith essentially "oating type shall n"t be $"mpared #ith memcmp as the same alue may be st"red using diKerent representati"ns+

s e l u r # e % : 2 n o i t c e S

I an essentially char array $"ntains a null $hara$ter- it is p"ssible t" treat the data as a $hara$ter string rather than simply an array " $hara$ters+ H"#eer that distin$ti"n is a matter " interpretati"n rather than synta:+ in$e essentially char arrays are m"st re>uently used t" st"re $hara$ter strings- an attempt t" $"mpare su$h arrays using memcmp rather than strcmp "r strncmpC may indi$ate an err"r as the number " $hara$ters t" be $"mpared #ill be determined by the alue " the si't argument rather than the l"$ati"n " the null $hara$ters used t" terminate the strings+ (he result may there"re depend "n the $"mparis"n " $hara$ters #hi$h are n"t part " the respe$tie strings+

+,am)le struct ; /* * Cturn va!u a indicat that +  ); /* Non-cop!iant */  union ? { uint$2t ran; uint$2t hiht; ; /* * Cturn va!u a indicat that +  ); /* Non-cop!iant */  const char a[ = ] + "tas4"; /* * Cturn va!u a incorrct! indicat strins ar diffrnt as th * !nth of +  ); /* Non-cop!iant */ 

See also Rule 21+17- Rule 21+1G

4

S e c t i o n 2 : % e # r u l e s

Rule 21+14 )se " the string handling un$ti"ns r"m 6strinh7 shall n"t result in a$$esses bey"nd the b"unds " the "bDe$ts reeren$ed by their p"inter parameters &30 )nde=ned 36- &33 )nde=ned 108- 150 Category

Mandat"ry

Analysis


A))lies to

&30- &33

Am)li*cation (he releant string handling un$ti"ns r"m 6strinh7 are< strcat, strchr, strcp, strco!!, strcp, strcspn, str!n, strp.r4, strrchr, strspn, strstr, strto4

Rationale In$"rre$t use " a un$ti"n listed ab"e may result in a read "r #rite a$$ess bey"nd the b"unds " an "bDe$t passed as a parameter- resulting in undened behaviour +

+,am)le char strin[] + "hort"; void f1 ( const char *str ) { /* * Non-cop!iant us of strcp as it rsu!ts in rits .ond th nd of
si't f2 ( void ) { char t5t[  ] + "0o4n"; /* * 0h fo!!oin is non-cop!iant as it rsu!ts in rads .ond * th nd of
See also Rule 21+15

5

Rule 21+15 (he si't argument passed t" any un$ti"n in 6strinh7 shall hae an appr"priate alue &30 )nde=ned 36- &33 )nde=ned 108- 150- 151 Category

Mandat"ry

Analysis


A))lies to

&30- &33

s e l u r # e % : 2 n o i t c e S

Am)li*cation (he releant un$ti"ns in string+h are< chr, cp, cp, ov, st, strncat, strncp, strncp, str5fr

An appr"priate alue is< ●

●

"sitie !" greater than the siEe " the smallest "bDe$t passed t" the un$ti"n thr"ugh a p"inter parameter+

Rationale In$"rre$t use " a un$ti"n listed ab"e may result in a read "r #rite a$$ess bey"nd the b"unds " an "bDe$t passed as a parameter- resulting in undened behaviour +

+,am)le char .uf1[  ] + "12$&"; char .uf2[ 1 ] + "12$&=D8E"; void f ( void ) { if ( cp ( .uf1, .uf2,  ) ++  ) {  if ( cp ( .uf1, .uf2, = ) ++  ) { 

/* :op!iant

*/




See also Rule 21+14

3

S e c t i o n 2 : % e # r u l e s

Rule 21+13 (he p"inters returned by the tandard Library un$ti"ns localeconv getenv - setlocale "r- strerror shall "nly be used as i they hae p"inter t" $"nst>uali=ed type &30 )nde=ned- &33 )nde=ned 117- 11G- 147 Category

Mandat"ry

Analysis


A))lies to

&30- &33

Am)li*cation (he localeconv un$ti"n returns a p"inter " type struct !conv *+ (his p"inter shall be regarded as i it had type const struct !conv *+ A struct !conv "bDe$t in$ludes p"inters " type char * and the getenv - setlocale- and strerror un$ti"ns ea$h return a p"inter " type char *+ (hese p"inters are used t" a$$ess strings null terminated arrays " type char C+ F"r the purp"se " this rule- these p"inters shall be regarded as i they had type const char *+

Rationale (he tandard states that undened behaviour "$$urs i a pr"gram m"di=es< ●

(he stru$ture p"inted t" by the alue returned by localeconv 

●

(he strings returned by getenv - setlocale "r strerror +

Note (he tandard d"es n"t spe$iy the behai"ur that results i the strings reeren$ed by the stru$ture p"inted t" by the alue returned by localeconv are m"di=ed+ (his rule pr"hibits any $hanges t" these strings as they are $"nsidered t" be undesirable+ (reating the p"inters returned by the ari"us un$ti"ns as i they #ere $"nst>uali=ed all"#s an analysis t""l t" dete$t any attempt t" m"diy an "bDe$t thr"ugh "ne " the p"inters+ Additi"nallyassigning the return alues " the un$ti"ns t" $"nst>uali=ed p"inters #ill result in the $"mpiler issuing a diagn"sti$ i an attempt is made t" m"diy an "bDe$t+ Note I a m"di=ed ersi"n is re>uired- a pr"gram sh"uld ma%e and m"diy a $"py " any alue $"ered by this rule+

+,am)le (he "ll"#ing e:amples are n"n$"mpliant as the returned p"inters are assigned t" n"n$"nst >uali=ed p"inters+ Whilst this #ill n"t be rep"rted by a $"mpiler it is n"t a $"nstraint i"lati"nC- an analysis t""l #ill be able t" rep"rt a i"lati"n+ void f1 ( void ) { char *s1 + st!oca! ( @:#@@,  ); struct !conv *conv + !oca!conv (); s1[ 1 ] + <#<; conv-7dcia!point + "F"; 

10

/* Non-cop!iant /* Non-cop!iant

*/ */

/* ?ndfind .haviour */ /* ?ndfind .haviour */

(he "ll"#ing e:amples are $"mpliant as the returned p"inters are assigned t" $"nst >uali=ed p"inters+ Any attempt t" m"diy an "bDe$t thr"ugh a p"inter #ill be rep"rted by a $"mpiler "r analysis t""l as this is a $"nstraint i"lati"n+ void f2 ( void ) { char str[ 128 ]; ( void ) strcp ( str, st!oca! ( @:#@@,  ) ); const struct !conv *conv + !oca!conv ();

/* :op!iant - 2nd paratr to strcp ta4s a const char * */ /* :op!iant */

conv-7dcia!point + "F";

/* :onstraint vio!ation

s e l u r # e % : 2 n o i t c e S

*/



(he "ll"#ing e:ample sh"#s that #hilst the use " a $"nst>uali=ed p"inter gies $"mpile time pr"te$ti"n " the alue returned by localeconv - the same is n"t true "r the strings it reeren$es+ M"di=$ati"n " these strings $an be dete$ted by an analysis t""l+ void f$ ( void ) { const struct !conv *conv + !oca!conv (); conv-7roupin[ 2 ] + <5<;

/* :op!iant

*/




See also Rule 4+7- Rule 11+5- Rule 21+5

Rule 21+20 (he p"inter returned by the tandard Library un$ti"ns asctime- ctime gmtime- localtime- localeconv - getenv - setlocale "r strerror shall n"t be used "ll"#ing a subse>uent $all t" the same un$ti"n Category

Mandat"ry

Analysis


A))lies to

&30- &33

Am)li*cation &alls t" setlocale may $hange the alues a$$essible thr"ugh a p"inter that #as prei"usly returned by localeconv + F"r the purp"ses " this rule- the setlocale and localeconv un$ti"n shall there"re be treated as i they are the same un$ti"n+

Rationale (he tandard Library un$ti"ns asctime- ctime- gmtime- localtime- localeconv - getenv - setlocale and strerror return a p"inter t" an "bDe$t #ithin the tandard Library+ Implementati"ns are permitted t" use stati$ buKers "r any " these "bDe$ts and a se$"nd $all t" the same un$ti"n may m"diy the $"ntents " the buKer+ (he alue a$$essed thr"ugh a p"inter held by the pr"gram be"re a subse>uent $all t" a un$ti"n may there"re $hange une:pe$tedly+

+,am)le void f1( void ) { const char *rs1; const char *rs2; char cop[ 128 ];

11

S e c t i o n 2 : % e # r u l e s

rs1 + st!oca! ( @:#@@,  ); ( void ) strcp ( cop, rs1 ); rs2 + st!oca! ( @:GN30#CH, "9rnch" ); printf ( "%sIn", rs1 ); printf ( "%sIn", cop ); printf ( "%sIn", rs2 );

/* Non-cop!iant - us aftr su.sJunt ca!! */ /* :op!iant - cop ad .for su.sJunt ca!! */ /* :op!iant - no su.sJunt ca!! .for us */



2'22 Resources Rule 22+4

(he ma$r" 39 shall "nly be $"mpared #ith the unm"di=ed return alue r"m any tandard Library un$ti"n $apable " returning 39

Category

Re>uired

Analysis


A))lies to

&30- &33

Am)li*cation (he alue returned by any " these un$ti"ns shall n"t be subDe$t t" any type $"nersi"n i it is later $"mpared #ith the ma$r" 39+ Note indire$t type $"nersi"ns- su$h as th"se resulting r"m p"inter type $"nersi"ns- are in$luded #ithin the s$"pe " this rule+

Rationale An 39 return alue r"m these un$ti"ns is used t" i ndi$ate that a stream is either at end"=le "r that a read "r #rite err"r has "$$urred+ (he 39 alue may be$"me indistinguishable r"m a alid $hara$ter $"de i the alue returned is $"nerted t" an"ther type+ In su$h $ases- testing the $"nerted alue against 39 #ill n"t reliably identiy i the end " the =le has been rea$hed "r i an err"r has "$$urred+ I these $"nditi"ns are t" be identi=ed by $"mparis"n #ith 39- the $"mparis"n shall be made be"re any $"nersi"n " the alue "$$urs+ Alternatiely- the tandard Library un$ti"ns feof and ferror may be used t" dire$tly $he$% the status " the stream- either be"re "r ater the $"nersi"n ta%es pla$e+

+,am)le void f1 ( void ) { char ch; ch + ( char ) tchar (); /* * 0h fo!!oin tst is non-cop!iant At i!! not . r!ia.! as th * rturn va!u is cast to a narror tp .for chc4in for 39 */ if ( 39 >+ ( int$2t ) ch ) {  

12

(he "ll"#ing $"mpliant e:ample sh"#s h"# feof#$ $an be used t" $he$% "r 39 #hen the return alue r"m getchar#$ has been subDe$ted t" type $"nersi"n< void f2 ( void ) { char ch; ch + ( char ) tchar (); if ( >fof ( stdin ) ) {  

s e l u r # e % : 2 n o i t c e S

void f$ ( void ) { int$2t ich; ich + tchar (); /* * 0h fo!!oin tst is cop!iant At i!! . r!ia.! as th * unconvrtd rturn va!u is usd hn chc4in for 39 */ if ( 39 >+ ich ) { char ch; ch + ( char ) ich;  

Rule 22+5

(he alue " rrno shall be set t" Eer" pri"r t" a $all t" an errnosetting-function

Category

Re>uired

Analysis


A))lies to

&30- &33

Am)li*cation An errno-setting-function is "ne " the "ll"#ing< ft!!, ftpos, fstpos, ftc, fputc strtoia5, strtoua5, strto!, strtou!, strto!!, strtou!!, strtof, strtod, strto!d cstoia5, cstoua5, csto!, cstou!, csto!!, cstou!!, cstof, cstod, csto!d crto., csrto.s, .rtoc

Any "ther un$ti"n #hi$h returns err"r in"rmati"n using rrno is als" an errno-setting-function+ Note this may in$lude additi"nal un$ti"ns r"m the tandard Library- as permitted by (he tandard+ .ri"r/ re>uires that rrno shall be set t" Eer" in the same un$ti"n and "n all paths leading t" a $all " an errno-setting-function+ Furtherm"re- there shall be n" $alls t" un$ti"ns that may set rrno in these paths+ (his in$ludes $alls t" any un$ti"n #ithin the tandard Library as these are permitted but n"t re>uiredC t" set rrno+

Rationale An errno-setting-function #rites a n"nEer" alue t" rrno i an err"r is dete$ted- leaing the alue unm"di=ed "ther#ise+ (he tandard in$ludes n"nn"rmatie adi$e that .a pr"gram that uses rrno "r err"r $he$%ing sh"uld set it t" Eer" be"re a library un$ti"n $all- then inspe$t it be"re a subse>uent library un$ti"n $all/+

18

S e c t i o n 2 : % e # r u l e s

In "rder that err"rs $an be dete$ted- this rule re>uires that rrno shall be set t" Eer" be"re an errno-setting-function is $alled+ Rule 22+3 then re>uires that rrno be tested ater the $all+

+,ce)tion (he alue " rrno need n"t be set t" Eer" #hen it $an be pr"en t" be Eer"+

+,am)le void f ( void ) { rrnottin9unction1 (); if (  ++ rrno ) { rrnottin9unction2 ();

/* Non-cop!iant

*/

/* :op!iant . 5cption */

if (  ++ rrno ) {   !s { rrno + ; rrnottin9unction$ ();

/* :op!iant

*/

if (  ++ rrno ) {   


Rule 22+3

(he alue " rrno shall be tested against Eer" ater $alling an errnosetting-function

Category

Re>uired

Analysis


A))lies to

&30- &33

Am)li*cation An errno-setting-function is "ne " th"se des$ribed in Rule 22+5+ (he test " rrno shall "$$ur in the same un$ti"n "n all paths r"m the $all " interest- and be"re any subse>uent un$ti"n $alls+ (he results " an errno-setting-function shall n"t be used pri"r t" the testing " rrno+

Rationale

17

An errno-setting-function #rites a n"nEer" alue t" rrno i an err"r is dete$ted- leaing the alue unm"di=ed "ther#ise+ (he tandard in$ludes n"nn"rmatie adi$e that .a pr"gram that uses rrno "r err"r $he$%ing sh"uld set it t" Eer" be"re a library un$ti"n $all- then inspe$t it be"re a subse>uent library un$ti"n $all/+

As the alue returned by an errno-setting-function is unli%ely t" be $"rre$t #hen rrno is n"nEer"the pr"gram shall test rrno t" ensure that it is appr"priate t" use the returned alue+

+,ce)tion (he alue " rrno d"es n"t hae t" be tested #hen the return alue " an errno-setting-function $an be used t" determine i an err"r has "$$urred+

+,am)le void f1 ( void ) { rrno + ;

s e l u r # e % : 2 n o i t c e S

rrnottin9unction1 (); so9unction ();

/* Non-cop!iant - function ca!! */

if (  >+ rrno ) {  rrno + ; rrnottin9unction2 (); if (  >+ rrno ) {  

/* :op!iant */

void f2 ( 9A@3 *f, fpost *pos ) { rrno + ; if ( fstpos ( f, pos ) ++  ) { /* :op!iant . 5cption - no nd to tst rrno as no out-of-.and rror rportd */  !s { /* othin nt ron - rrno ho!ds an ip!ntation-dfind positiv va!u */ hand!3rror ( rrno );  


Rule 22+10 (he alue " rrno shall "nly be tested #hen the last un$ti"n t" be $alled #as an errno-setting-function Category

Re>uired

Analysis


A))lies to

&30- &33

Am)li*cation An errno-setting-function is "ne " th"se des$ribed in Rule 22+5+

1G

S e c t i o n 2 : % e # r u l e s

Rationale (he errno-setting-functions are the "nly un$ti"ns #hi$h are re>uired t" set rrno #hen an err"r is dete$ted+ Other un$ti"ns- in$luding th"se de=ned in the tandard Library that are n"t errno-setting functions- may "r may n"t set rrno t" indi$ate that an err"r has "$$urred+ (he use " rrno t" dete$t err"rs #ithin these un$ti"ns #ill ail "r an implementati"n that d"es n"t set rrno as it #ill be let unm"di=ed+ ;ien that a Eer" alue "r rrno d"es n"t there"re guarantee the absen$e " an err"r #ithin a un$ti"n that is n"t an errno-setting-function- its alue shall n"t be tested as the "ut$"me must be $"nsidered unreliable+

+,am)le In the "ll"#ing e:ample< ●

atof may "r may n"t set rrno #hen an err"r is dete$ted

●

strtod is an errno-setting-function+

void f ( void ) { f!oat=&t f=&; rrno + ; f=& + atof ( "#12" ); if (  ++ rrno ) /* Non-cop!iant */ { /* f=& a not hav a va!id va!u in hr */  rrno + ; f=& + strtod ( "#12", N?@@ ); if (  ++ rrno ) /* :op!iant { /* f=& i!! hav a va!id va!u in hr  


16

*/ */

- Changes to e,isting rules Rule 21+5

(he "ll"#ing $hanges hae been made t" Rule 21+5 as the "utright pr"hibiti"n "n using getenv is n" l"nger ne$essary ater the intr"du$ti"n " Rule 21+13 and Rule 21+20+ ●

Rem"e reeren$es t" getenv r"m the rule headline and the ampli=$ati"n

●

Add a .ee als"/ se$ti"n #ith $r"ssreeren$es t" Rule 21+13 and Rule 21+20+

14

( References 1

15

IO?I@& ( 14361<2018- %nformation technology & 'rogramming languages, their environments and system software interfaces & C secure coding rules - Internati"nal OrganiEati"n "r tandardiEati"n1330

A))endi, A Summary of guidelines Code design 9ir 7+17

Re>uired

(he alidity " alues re$eied r"m e:ternal s"ur$es shall be $he$%ed

+,)ressions Rule 12+G

Mandat"ry

(he siEe" "perat"r shall n"t hae an "perand #hi$h is a un$ti"n parameter de$lared as .array " type/

Standard libraries Rule 21+18

Mandat"ry

Any alue passed t" a un$ti"n in $type+h shall be representable as an unsigned $har "r be the alue @OF

Rule 21+17

Re>uired

(he tandard Library un$ti"n mem$mp shall n"t be used t" $"mpare null terminated strings

Rule 21+1G

Re>uired

(he p"inter arguments t" the tandard Library un$ti"ns mem$pymemm"e and mem$mp shall be p"inters t" >uali=ed "r un>uali=ed ersi"ns " $"mpatible types

Rule 21+16

Re>uired

(he p"inter arguments t" the tandard Library un$ti"n mem$mp shall p"int t" either a p"inter type- an essentially signed type- an essentially unsigned type- an essentially B""lean type "r an essentially enum type

Rule 21+14

Mandat"ry

)se " the string handling un$ti"ns r"m string+h shall n"t result in a$$esses bey"nd the b"unds " the "bDe$ts reeren$ed by their p"inter parameters

Rule 21+15

Mandat"ry

(he siEeNt argument passed t" any un$ti"n in string+h shall hae an appr"priate alue

Rule 21+13

Mandat"ry

(he p"inters returned by the tandard Library un$ti"ns l"$ale$"ngeten- setl"$ale "r- strerr"r shall "nly be used as i they hae p"inter t" $"nst>uali=ed type

Rule 21+20

Mandat"ry

(he p"inter returned by the tandard Library un$ti"ns as$time- $timegmtime- l"$altime- l"$ale$"n- geten- setl"$ale "r strerr"r shall n"t be used "ll"#ing a subse>uent $all t" the same un$ti"n

Resources Rule 22+4

Re>uired

(he ma$r" @OF shall "nly be $"mpared #ith the unm"di=ed return alue r"m any tandard Library un$ti"n $apable " returning @OF

Rule 22+5

Re>uired

(he alue " errn" shall be set t" Eer" pri"r t" a $all t" an errn"setting un$ti"n

Rule 22+3

Re>uired

(he alue " errn" shall be tested against Eer" ater $alling an errn" settingun$ti"n

13

A ) ) e n d i , A : S u m m a r y o f g u i d e l i n e s

20

Rule 22+10

Re>uired

(he alue " errn" shall "nly be tested #hen the last un$ti"n t" be $alled #as an errn"settingun$ti"n

A))endi, B .uideline attributes Rule

&ateg"ry

Applies t"

Analysis

9ir 7+17

Re>uired

&30- &33

Rule 12+G

Mandat"ry

&30- &33


Rule 21+18

Mandat"ry

&30- &33


Rule 21+17

Re>uired

&30- &33


Rule 21+1G

Re>uired

&30- &33


Rule 21+16

Re>uired

&30- &33


Rule 21+14

Mandat"ry

&30- &33


Rule 21+15

Mandat"ry

&30- &33


Rule 21+13

Mandat"ry

&30- &33


Rule 21+20

Mandat"ry

&30- &33


Rule 22+4

Re>uired

&30- &33


Rule 22+5

Re>uired

&30- &33


Rule 22+3

Re>uired

&30- &33


Rule 22+10

Re>uired

&30- &33


21

MISRA C 2012 - Amendment 1 Additional security guidelines for MISRA C 2012.pdf

Recommend Documents