sei-cert-c-coding-standard-2016-v01.pdf

【实例截图】

【核心代码】

Table of Contents
1 Introduction 1
1.1 Scope 2
1.2 Audience 3
1.3 History 4
1.4 ISO/IEC TS 17961 C Secure Coding Rules 5
1.5 Tool Selection and Validation 7
1.6 Taint Analysis 9
1.7 Rules Versus Recommendations 10
1.8 Conformance Testing 11
1.9 Development Process 12
1.10 Usage 13
1.11 System Qualities 13
1.12 Vulnerability Metric 13
1.13 How This Coding Standard Is Organized 14
1.14 Automatically Generated Code 18
1.15 Government Regulations 19
1.16 Acknowledgments 20
2 Preprocessor (PRE) 23
2.1 PRE30-C. Do not create a universal character name through concatenation 23
2.2 PRE31-C. Avoid side effects in arguments to unsafe macros 25
2.3 PRE32-C. Do not use preprocessor directives in invocations of function-like macros 30
3 Declarations and Initialization (DCL) 32
3.1 DCL30-C. Declare objects with appropriate storage durations 32
3.2 DCL31-C. Declare identifiers before using them 36
3.3 DCL36-C. Do not declare an identifier with conflicting linkage classifications 40
3.4 DCL37-C. Do not declare or define a reserved identifier 43
3.5 DCL38-C. Use the correct syntax when declaring a flexible array member 50
3.6 DCL39-C. Avoid information leakage when passing a structure across a trust boundary 53
3.7 DCL40-C. Do not create incompatible declarations of the same function or object 60
3.8 DCL41-C. Do not declare variables inside a switch statement before the first case label 66
4 Expressions (EXP) 68
4.1 EXP30-C. Do not depend on the order of evaluation for side effects 68
4.2 EXP32-C. Do not access a volatile object through a nonvolatile reference 74
4.3 EXP33-C. Do not read uninitialized memory 76
4.4 EXP34-C. Do not dereference null pointers 85
4.5 EXP35-C. Do not modify objects with temporary lifetime 90
4.6 EXP36-C. Do not cast pointers into more strictly aligned pointer types 93
4.7 EXP37-C. Call functions with the correct number and type of arguments 98
4.8 EXP39-C. Do not access a variable through a pointer of an incompatible type 103
4.9 EXP40-C. Do not modify constant objects 109
4.10 EXP42-C. Do not compare padding data 111
4.11 EXP43-C. Avoid undefined behavior when using restrict-qualified pointers 114
SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems ii
Software Engineering Institute | Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
4.12 EXP44-C. Do not rely on side effects in operands to sizeof, _Alignof, or _Generic 122
4.13 EXP45-C. Do not perform assignments in selection statements 126
4.14 EXP46-C. Do not use a bitwise operator with a Boolean-like operand 131
5 Integers (INT) 132
5.1 INT30-C. Ensure that unsigned integer operations do not wrap 132
5.2 INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data 138
5.3 INT32-C. Ensure that operations on signed integers do not result in overflow 147
5.4 INT33-C. Ensure that division and remainder operations do not result in divide-by-zero
errors 157
5.5 INT34-C. Do not shift an expression by a negative number of bits or by greater than or
equal to the number of bits that exist in the operand 160
5.6 INT35-C. Use correct integer precisions 166
5.7 INT36-C. Converting a pointer to integer or integer to pointer 169
6 Floating Point (FLP) 173
6.1 FLP30-C. Do not use floating-point variables as loop counters 173
6.2 FLP32-C. Prevent or detect domain and range errors in math functions 176
6.3 FLP34-C. Ensure that floating-point conversions are within range of the new type 185
6.4 FLP36-C. Preserve precision when converting integral values to floating-point type 189
6.5 FLP37-C. Do not use object representations to compare floating-point values 191
7 Array (ARR) 193
7.1 ARR30-C. Do not form or use out-of-bounds pointers or array subscripts 193
7.2 ARR32-C. Ensure size arguments for variable length arrays are in a valid range 203
7.3 ARR36-C. Do not subtract or compare two pointers that do not refer to the same array 207
7.4 ARR37-C. Do not add or subtract an integer to a pointer to a non-array object 209
7.5 ARR38-C. Guarantee that library functions do not form invalid pointers 212
7.6 ARR39-C. Do not add or subtract a scaled integer to a pointer 222
8 Characters and Strings (STR) 226
8.1 STR30-C. Do not attempt to modify string literals 226
8.2 STR31-C. Guarantee that storage for strings has sufficient space for character
data and the null terminator 230
8.3 STR32-C. Do not pass a non-null-terminated character sequence to a library function
that expects a string 242
8.4 STR34-C. Cast characters to unsigned char before converting to larger integer sizes 247
8.5 STR37-C. Arguments to character-handling functions must be representable as an
unsigned char 251
8.6 STR38-C. Do not confuse narrow and wide character strings and functions 253
9 Memory Management (MEM) 256
9.1 MEM30-C. Do not access freed memory 256
9.2 MEM31-C. Free dynamically allocated memory when no longer needed 262
9.3 MEM33-C. Allocate and copy structures containing a flexible array member
dynamically 264
9.4 MEM34-C. Only free memory allocated dynamically 269
9.5 MEM35-C. Allocate sufficient memory for an object 273
9.6 MEM36-C. Do not modify the alignment of objects by calling realloc() 277
SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems iii
Software Engineering Institute | Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
10 Input/Output (FIO) 281
10.1 FIO30-C. Exclude user input from format strings 281
10.2 FIO32-C. Do not perform operations on devices that are only appropriate for files 285
10.3 FIO34-C. Distinguish between characters read from a file and EOF or WEOF 291
10.4 FIO37-C. Do not assume that fgets() or fgetws() returns a nonempty string when
successful 296
10.5 FIO38-C. Do not copy a FILE object 299
10.6 FIO39-C. Do not alternately input and output from a stream without an intervening
flush or positioning call 301
10.7 FIO40-C. Reset strings on fgets() or fgetws() failure 304
10.8 FIO41-C. Do not call getc(), putc(), getwc(), or putwc() with a stream argument that
has side effects 306
10.9 FIO42-C. Close files when they are no longer needed 309
10.10 FIO44-C. Only use values for fsetpos() that are returned from fgetpos() 313
10.11 FIO45-C. Avoid TOCTOU race conditions while accessing files 315
10.12 FIO46-C. Do not access a closed file 319
10.13 FIO47-C. Use valid format strings 321
11 Environment (ENV) 326
11.1 ENV30-C. Do not modify the object referenced by the return value of certain functions 326
11.2 ENV31-C. Do not rely on an environment pointer following an operation that may
invalidate it 331
11.3 ENV32-C. All exit handlers must return normally 336
11.4 ENV33-C. Do not call system() 340
11.5 ENV34-C. Do not store pointers returned by certain functions 347
12 Signals (SIG) 353
12.1 SIG30-C. Call only asynchronous-safe functions within signal handlers 353
12.2 SIG31-C. Do not access shared objects in signal handlers 363
12.3 SIG34-C. Do not call signal() from within interruptible signal handlers 367
12.4 SIG35-C. Do not return from a computational exception signal handler 371
13 Error Handling (ERR) 374
13.1 ERR30-C. Set errno to zero before calling a library function known to set errno,
and check errno only after the function returns a value indicating failure 374
13.2 ERR32-C. Do not rely on indeterminate values of errno 381
13.3 ERR33-C. Detect and handle standard library errors 386
14 Concurrency (CON) 403
14.1 CON30-C. Clean up thread-specific storage 403
14.2 CON31-C. Do not destroy a mutex while it is locked 407
14.3 CON32-C. Prevent data races when accessing bit-fields from multiple threads 410
14.4 CON33-C. Avoid race conditions when using library functions 414
14.5 CON34-C. Declare objects shared between threads with appropriate storage durations 418
14.6 CON35-C. Avoid deadlock by locking in a predefined order 426
14.7 CON36-C. Wrap functions that can spuriously wake up in a loop 431
14.8 CON37-C. Do not call signal() in a multithreaded program 435
14.9 CON38-C. Preserve thread safety and liveness when using condition variables 437
14.10 CON39-C. Do not join or detach a thread that was previously joined or detached 445
SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems iv
Software Engineering Institute | Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
14.11 CON40-C. Do not refer to an atomic variable twice in an expression 447
14.12 CON41-C. Wrap functions that can fail spuriously in a loop 451
15 Miscellaneous (MSC) 455
15.1 MSC30-C. Do not use the rand() function for generating pseudorandom numbers 455
15.2 MSC32-C. Properly seed pseudorandom number generators 459
15.3 MSC33-C. Do not pass invalid data to the asctime() function 463
15.4 MSC37-C. Ensure that control never reaches the end of a non-void function 466
15.5 MSC38-C. Do not treat a predefined identifier as an object if it might only
be implemented as a macro 470
15.6 MSC39-C. Do not call va_arg() on a va_list that has an indeterminate value 473
15.7 MSC40-C. Do not violate constraints 476
Appendix A: Bibliography 481
Appendix B: Definitions 501
Appendix C: Undefined Behavior 510
Appendix D: Unspecified Behavior 525