RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT





RULES FOR SECURE C LANGUAGE

SOFTWARE DEVELOPMENT

ANSSI GUIDELINES

TARGETED AUDIENCE:

Developers Administrators IT security managers IT managers Users

Information

Warning

          

            

 www.ssi.gouv.fr/en/

                

    

               

             

          

   

              

          

          

            



             

           

www.ssi.gouv.fr            

   

Document changelog:

VERSION DATE CHANGELOG

    

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  1

Contents

  

   

     

    

                                 

                                    

                                   

                           

                               

                                     

                                 

    static               

                                     

                                

   #undef                                  

                                 

  

                                  

                              

                             

 Debug  release                                   

     

                                  

                                    

                                      

                                    

    static                                  

    volatile                                 

                                

 Compound literals                                      

                                          

                                   

                                

                                   

                                 

     

                                       

                                             

                                         

2  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

                   

    

                             

                                          

                                         

                                 

                                 

                             

    restrict                               

                              

                          

                                        

    

                                     

                                          

                                             

                                            

                                          

  

                                        

                                

                        

                      

                         

                                

                                         

                                

                            

                                   

                                   

                                        

     

                                 

                           

    for                              

                        

     

     goto                                 

                                     

  

                          

                                   

                                   

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  3

     const                

  inline                                    

                                       

                              

     void                     

                          

                               

                             

                                        

   

                         

   ++  --          

                                

   

                                   

   

sizeof

                                 

                      

                                      

   

    errno                                     

               

                            

                 

                                 

   

                               

                               

                               

                    

      

                                      

                                  

                        

                  

                                 

                                   

                                       

  

                                         

                              

                         

                             

4  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

   

         

                               

                                       

    -Weverything                            

     

    

      

                                          

                                    

                                          

                                             

                                        

 

       

 

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  5

Introduction

The C language oers great freedom to developers. However, it contains ambigu-

ous or risky constructions that may introduce errors during development. The

C language standard does not specify all the desired behaviours, and therefore

some remain undened or unspecied



. Developers of compilers, libraries or

operating systems are therefore free to make their own choices.

Restrictions must therefore be set on the use of C language in order to identify the

various risky or non-portable constructions and to limit or even prohibit their use.

The restrictions dened in this guide are intended to encourage the production of

more secure, safer, more robust soware, and also to encourage their portability

from one system to another, whether PC type or embedded.

               

  In this document, we currently restrict ourselves to the 2 standards C90



and

C99, which are the most widely used.

                

       

Rule

 rule  always      

Recommendation

 recommendation         

          

  

             

          

      

              

6  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Good practice

 good practices           

           

    

    

             

   

n               

n              

          

                 

     etc.         

              



             

n    

n    

   

  

     

      

     

                 

          

etc.               



RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  7

Coding convention

               

            



              

           

             

RULE

RULE — Application of clear and explicit coding conventions

           

            

            

   etc.  

       

               

               

                 

              

              

 

      

         

8  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Undened and unspecied behaviours

              undened behaviour 

unspecied behaviour    

Undened behaviour

 undened behaviour            

             

           signed integer overow

Unspecied behaviour

 unspecied behaviour           

            

              

  

Information

            

          

   

              

Information

              

    

RULE

RULE — Only C coding in accordance with the standard is authorised

               



References

               con-

straints        

        

             

      

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  9

        

10  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Preprocessor and macros

4.1 Inclusion of the necessary header les

                

               

                

     

             

             

           

                   

               

 stddef.h  stdint.h      

RECO

RECOMMENDATION — Limit and justify header le inclusions in another

header le

             



RULE

RULE — Only the necessary header les should be included

              

               

      #define        

  #ifndef              multiple

include guard macro                

             

RULE

RULE — Use multiple include guard macros for a le

              

          

// start of header file

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  11

#ifndef HEADER_H

#define HEADER_H

/* file content */

#endif

// end of header file

Warning

    #pragma once        

             

             

           

   

              

 

RULE

RULE — Header le inclusions are grouped at the beginning of the le

               

           

  

RECO

RECOMMENDATION — System header le inclusions are made before user

header le inclusions

GOOD

PRACTICE

GOOD PRACTICE — Use alphabetical order in the inclusion of each type of

header les

             

           

  

Information

           

            

               



                 

    

Information

           

-Wimplicit-function-declaration

12  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Bad example

       string.h     file.h  

   string.h   file.c   memcpy   

 string.h      file.c      

file.h

/* header .h */

#include <string .h> /* should only be included in file.c */

void foo( uint8_t* val , uint32_t length );

/* file.c */

#include <string .h>

#include <stdint .h>

#include <stdlib .h>

#include "header .h"

#define BUFFER_LEN 8U

void foo( uint8_t *val , uint32_t length ) {

uint8_t buffer[BUFFER_LEN];

if (NULL != val) {

memcpy (buffer , val , min( BUFFER_LEN , length));

...

}

Good example

             

             

               

    

/* header .h */

#ifndef HEADER_H /* include guard to avoid ultiple inclusion */

#define HEADER_H

void foo( uint8_t *val , uint32_t length );

#endif /* HEADER_H */

/* file.c */

#include <string .h>

#include <stdint .h>

#include <stdlib .h>

#include "header .h"

#define BUFFER_LEN 8U

void foo( uint8_t *val , uint32_t length ) {

uint8_t buffer[BUFFER_LEN];

if (NULL != val) {

memcpy (buffer , val , min( BUFFER_LEN , length));

...

}

4.1.1 References

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  13

                

    

   #include         



         

4.2 Non-inclusion of source les

                

               

          static     

               

                

 

                

  inlining   etc.        

         -flto       

gcc -o binary -flto file1.c file2.c

RULE

RULE — Do not include a source le in another source le

           

Bad example

            

/* file1 .c */

#include <stdint .h>

void foo( uint16_t val) {

...

}

/* file2 .c */

#include "file1 .c" /* prohibited */

void bar() {

foo( MAGIC_VALUE);

}

Good example

          

/* header .h */

#ifndef HEADER_H

#define HEADER_H

void foo( uint16_t val);

#endif

14  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

/* file1 .c */

void foo( uint16_t val) {

...

}

/* file2 .c */

#include <stdint .h>

#include "header .h"

#define MAGIC_VALUE 42U

void bar() {

foo( MAGIC_VALUE);

}

4.3 Format of a le inclusion directive

                 

        

              

   #include             

                

                

 ' " /*  //       <  >  

  i.e. "    

        

RULE

RULE — File paths must be portable and case sensitive

     #include       

      

Bad example

            

#include <sys\stat.h>

#include "Module_A \Sub_Module_A \Header.h"

Good example

          

#include <sys/stat.h>

#include "module_a / sub_module_a/header.h"

               



RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  15

RULE

RULE — The name of a header le must not contain certain characters or

sequences of characters

              

  ' " \ /*  //

4.3.1 References

                

     

    #include        <filename> 

"filename" 

    

4.4 Comment and denition of preprocessor blocks

   #if #ifdef#ifndef #else #elif  #endif   

                

             

               

    

RECO

RECOMMENDATION — Preprocessor blocks must be commented on

            

            

            



            

   #ifndef    i.e.         

  NDEBUG

GOOD

PRACTICE

GOOD PRACTICE — Double negation in the expression of preprocessor

block conditions should be avoided

             i.e. 

             

              

RULE

RULE — Denition of a preprocessor block in a single le

             

16  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RECO

RECOMMENDATION — Preprocessor directive control expressions must be

correctly formed

              

  #define

Bad example

             

   #else  #endif 

/* file1 .c */

#ifdef A /* no #endif */

#include "log.h"

/* log.h */

#endif /* # endif of file1 .c */

#ifndef LOG_H

#define LOG_H

typedef enum {

DEBUG = 0,

WARN ,

INFO ,

ERROR ,

FATAL

} LogLevel_T;

void log_msg( LogLevel_T level , const unsigned char * sLogMessage );

#ifndef NDEBUG /* double negation */

#define LOG_DEBUG(msg) log_msg(DEBUG , ( msg))

#define LOG_WARN(msg) log_msg (WARN , (msg))

#define LOG_INFO(msg) log_msg (INFO , (msg))

#define LOG_ERROR(msg) log_msg(ERROR , ( msg))

#define LOG_FATAL(msg) log_msg(FATAL , ( msg))

#else

#define LOG_DEBUG(msg)

#define LOG_WARN(msg)

#define LOG_INFO(msg)

#define LOG_ERROR(msg)

#define LOG_FATAL(msg)

#endif

Good example

            

      

/* file1 .c */

#ifdef A

#include "log.h"

#endif

/* log.h */

#ifndef LOG_H

#define LOG_H

typedef enum {

DEBUG = 0,

WARN ,

INFO ,

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  17

ERROR ,

FATAL

} LogLevel_T;

void log_msg( LogLevel_T level , const unsigned char * sLogMessage );

#ifdef NDEBUG /* double negation removed */

/* Not debug mode */

#define LOG_DEBUG(msg)

#define LOG_WARN(msg)

#define LOG_INFO(msg)

#define LOG_ERROR(msg)

#define LOG_FATAL(msg)

#else /* #ifdef NDEBUG */

/* Debug mode */

#define LOG_DEBUG(msg) log_msg(DEBUG , ( msg))

#define LOG_WARN(msg) log_msg (WARN , (msg))

#define LOG_INFO(msg) log_msg (INFO , (msg))

#define LOG_ERROR(msg) log_msg(ERROR , ( msg))

#define LOG_FATAL(msg) log_msg(FATAL , ( msg))

#endif /* # ifdef NDEBUG */

#endif /* # ifndef LOG_H */

4.4.1 References

              

    

              

     

              

            

4.5 Using the preprocessor operators # and ##

      stringication       

           

RULE

RULE — Do not use more than one of the preprocessor operators # and

## in the same expression

                 i.e.

      

RULE

RULE — Understand the macro replacement when using the preprocessor

operators # and ##

18  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Bad example

#include <stdio .h>

...

#define MYPRINT(s) printf (#s)

#define TWO 2

int main( void )

{

MYPRINT (TWO); /* prints "TWO" */

return 1;

}

Good example

#include <stdio .h>

...

#define MYPRINT2(s) PRINT(s) /* Additional indirection to expand

"TWO" */

#define PRINT(s) printf (#s)

#define TWO 2

int main( void )

{

MYPRINT2 (TWO); /* prints "2" */

return 1;

}

4.5.1 References

            

             

      

                 

               

          



  

  

4.6 Specic naming of macros

                   

     

                 

                   

               



RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  19

RULE

RULE — Macros must be specically named

             

            

             

            

    

Bad example

          

#define cte 0x7EU /* lower case */

#define _my_squared (a) ((a)*(a)) /* lower case and starts with _ */

Good example

         

#define CTE 0x7EU

#define MY_SQUARED(a) ((a)*(a))

4.6.1 References

       

         

                

 

            

               

          

 

      

4.7 A macro must not end with a semicolon

                 

               

             

RULE

RULE — Do not end a macro with a semicolon

              

20  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Bad example

             

#define SQUARED(n) (n) = (n) * (n); /* no semicolon at the end of a macro */

...

if (x >= 0)

SQUARED (x); /* conditional without brace */

else

x = -x;

...

   

#define SQUARED(n) (n) = (n) * (n);

...

if (x >= 0)

x= x * x;

; /* empty statement */

else /* parsing error before the else */

x = -x;

...

Good example

   

#define SQUARED(n) (n) = (n) * (n)

/* ... */

if (x >= 0)

{

SQUARED (x);

}

else

{

x = -x;

}

   

#define SQUARED(n) (n) = (n) * (n)

/* ... */

if (x >= 0)

{

x = x * x;

}

else

{

x = -x;

}

4.7.1 References

          

4.8 Give preference to static inline functions in

“function type” macros

Inline            

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  21

Information

     inline       static

    static inline          

      inlining        

Information

       static inline     

            

             

        -Wunused-function  

           -Wall 

             

            

      

RECO

RECOMMENDATION — Use static inline functions instead of

multi-statement macros

               

                

             

RULE

RULE — The replacement of a developer-dened macro must not create a

function

4.8.1 References

            function-like macro  

 

          

4.9 Multi-statement macros

              

                

                  

   

22  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

      do {  } while(0)      

  do {  } while(0)          

               

RULE

RULE — Macros containing multiple statements must use a

do { ... } while(0) loop for their denition

Bad example

      

#define HALF_SUM(a,b,c,d) \

(a) = ((c) + (d)) / 2; \

(b) = ((c) - (d)) / 2

/* leads to a different behaviour to the one required with a call in a conditional

statement without braces */

if(c > d)

HALF_SUM (a, b, c, d);

else

/* ... */

       

#define HALF_SUM(a,b,c,d) { (a) = ((c) + (d)) / 2; (b) = ((c) - (d)) / 2 }

            

          ;      

if(c>d)

{ (a)=((c) + (d)) / 2; (b) = ((c) - (d)) / 2 };

else

/* ... */

Good example

           do-while(0)  



#define HALF_SUM(a, b, c, d) \

do { \

(a) = ((c) + (d)) / 2; \

(b) = ((c) - (d)) / 2; \

} while (0)

4.9.1 References

         

4.10 Arguments and parameters of a macro

               

             

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  23

       

RULE

RULE — Mandatory parentheses around the parameters used in the body

of a macro

             

          

                  

                 

        

RECO

RECOMMENDATION — Arguments of a macro carrying out an operation

should be avoided

                  

              

           

RULE

RULE — Arguments in a macro must not contain side effects

          

      #define #ifdef       

       

RULE

RULE — Do not use preprocessor directives in macro arguments

Bad example

             

#define ABS(x) (x >= 0 ? x : -x)

a = c + ABS(a - b) + d;

/* result : a = c + (a - b >= 0 ? a - b : -a -b) + d */

m=ABS(n++) ;

/* additional increment of n: m = ((n++ < 0) ? - n++ : n++) */

Good example

           



#define ABS(x) (((x) >= 0) ? (x) : -(x))

a = c + ABS(a - b) + d;

24  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

/* correct result : a = c + (((a - b) >= 0) ? (a - b) : -(a - b)) + d */

p=n++;

m=ABS(p);

/* only one increment of n: m = (((p) < 0) ? - (p) : (p)); */

4.10.1 References

            

  

         

        

             

          

            

       

4.11 Using the #undef directive

   #undef            

                

                

                   

    

   #undef                

          

RULE

RULE — The #undef directive should not be used

4.11.1 References

       

4.12 Trigraph and double question mark

               

    ??-          

              



RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  25

RULE

RULE — Do not use trigraphs

               

    

RECO

RECOMMENDATION — Successive question marks should not be used

            

Information

 -Wtrigraphs         

Information

      

4.12.1 References

       

       

26  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Compilation

             

                 

              

              

        

Warning

    a fortiori         

           

               

              

            

     

5.1 Mastery of the compilation phase

               

              

              

              

             

                

              

RULE

RULE — Precisely dene compilation options

            

      

          

        

     -Wextra  

      NDEBUG  

  

              

        

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  27

RECO

RECOMMENDATION — Master actions performed by the compiler and the

linker

           

             



Warning

         -fno-strict-overflow

-fwrapv -fwrapv-pointer -fno-delete-null-pointer-checks 

-fno-strict-aliasing             



      make CMake  Meson    

               

GOOD

PRACTICE

GOOD PRACTICE — Make use of build automation software

5.1.1 References

     

     

            

        

5.2 Compilation without errors nor warnings

                

              

                 

                

             

RULE

RULE — Compile the code without any error nor warning while enabling

strict compilation options

              

             

   

              

               -Werror

              

28  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

   

              

                

         

RULE

RULE — Enable a reasonably high optimization level

           -O1   -O2 

-Os

Warning

              

         

Information

            

gcc/clang -O1 -Wall

-Wextra

-Wpedantic

-Werror -std=c99/c90

file.c

-o file.exe

RECO

RECOMMENDATION — Use the strictest compilation options

               

            

Information

             

         

                   

               

             

                

               

                 

    #pragma         

a                    

   

b           -Wall          



c                    

  

d           

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  29

Warning

 #pragma           

              

        #pragma      

            



               

 

#pragma GCC diagnostic push

#pragma GCC diagnostic ignored "-Wunused - variable"

/* code */

/* some variables are not used in the new algorithm anymore but are kept for API compatibility */

/* warnings about such unused variables are thus disabled in the code following the pragma */

#pragma GCC diagnostic pop

5.2.1 References

           

       

       

   

     

     

5.3 Use of security features provided by compilers

              

                

            

RULE

RULE — Make use of security features offered by compilers

           

         

Warning

             

     

         

           

            

            

 

30  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

           

               

    

5.3.1 Warnings oriented towards security bugs

             

                

           

RULE

RULE — Enable warnings that focus on detecting security bugs and deal

with any reported issue

   -Wformat=2

       

         

  -Wformat-overflow=2  -Wformat-truncation=2    

Information

           

             

          



              

           

            

         -fanalyzer    

Clang Static Analyzer      

5.3.2 Instrumentation of some particularly unsafe functions

               

              

       cf.      

             

      

RULE

RULE — Enable the use of hardened variants of unsafe functions

             

    _FORTIFY_SOURCE      

       -O1       

           

a                    

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  31

Information

 -Wstringop-overflow=n        

         n

5.3.3 Initialization of automatic variables

     



       

                

         

RULE

RULE — Enable compiler warnings related to the use of uninitialized vari-

ables

   -Wuninitialized

 -Winit-self 

-Wmaybe-uninitialized

      

    -Wuninitialized

 -Wconditional-uninitialized 

 

Warning

             

           

 

           

             pattern 

        release  cf.     

              

              

               

           



RULE

RULE — Enable forced initialization of automatic variables by the compiler

        

-ftrivial-auto-var-init=pattern     

-ftrivial-auto-var-init=zero  release  

     

-enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang

             static       

      

a    -Wall

b    -Wall

c    -Wall

32  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Warning

            

            

    

            

              

    

5.3.4 Integer overows

              

            int 

  INT_MAX  wrap       INT_MIN    

                

              

RECO

RECOMMENDATION — Enable compiler options that allow for detecting

signed integer overows

        -ftrapv    

               

          



Warning

           

                

             

         

  

Information

            

       

sanitizer        

       

5.3.5 Call stack hardenings

               

            

  

a   

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  33

             





  



           

                

          

RULE

RULE — Do not use executable stack

            

     

 -z execstack          

 -z nognustack      

 -z noexecstack       

            

         canaries



    

                

           

RULE

RULE — Enable stack canaries

      -fstack-protector-strong   



         

              

               

         

RECO

RECOMMENDATION — Use per-thread canaries

         

-mstack-protector-guard=tls    Thread Local Storage

5.3.6 Dynamic loading

           

            

                 

       

        closures              

    

                        

     

    cookies

34  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RULE

RULE — Produce position independent executables

      -fPIE       

-pie      

                

            

               

               

               relro

 partial relro 

RULE

RULE — Use relro mode of linkers

        -z relro     

relro         

            

 lazy binding           

  relro              

    



            

      full relro  BIND_NOW 

RECO

RECOMMENDATION — Do not use lazy binding

   -z now           

               

   

Information

 relro     lazy binding      

             

      

         

5.3.7 Reproducible builds

             

                 

               

                

               

       

  lazy binding                  

     daemon

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  35

GOOD

PRACTICE

GOOD PRACTICE — Ensure reproducible builds

      -Wdate-time     

-frandom-seed=           

  

5.4 Debug and release modes

  debug  release           

             

Debug and release modes

 debug           

           

              

              release

            

            

           

           

       

Debug              

  release            

  debug           

 0   release           

Information

 NDEBUG                

   assert.h     assert     



RULE

RULE — All production-ready code must be compiled in release mode

  release        

                

             

      debug     

                

    

36  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RECO

RECOMMENDATION — Pay special attention to debug and release modes

when building a project

   debug  release         

          

          



RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  37

Declaration, denition and initialisation

Denition versus use of variables

         i.e.     

            i.e. 

       

6.1 Multiple variable declarations

               

            

                 

              

      

RECO

RECOMMENDATION — Only multiple declarations of simple variables of the

same type are authorised

               

                 

         

RULE

RULE — Do not make multiple variable declarations associated with an

initialisation

  i.e.         

  

Bad example

              

   

uint32_t abs , ord = 0; /* caution , the variable abs is not set to zero here ! */

uint32_t a, *b; /* to be prohibited: mix of simple variable and pointer

declaration */

struct blob_t g, h[35]; /* to be prohibited : mix of simple variable , pointer and

array declaration */

38  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Good example

uint32_t a,

uint32_t *b; /* separation of the simple variable and the pointer */

struct blob_t g;

struct blob_t h[35]; /* as above for separation of the array and simple variable

uint32_t abs , ord; /* joint declaration of two functionally -related variables */

abs = 0; /* assignment of the two variables */

ord = 0;

6.1.1 References

           

6.2 Free declaration of variables

               

              

 

RECO

RECOMMENDATION — Group variable declarations at the beginning of the

block in which they are used

           

               

   

Information

             

           



 -Wdeclaration-after-statement       

   

                

                 

               

Bad example

               

             

         

#include <stdint .h>

uint8_t glob_var; /* global variable */

uint8_t fonc(void)

{

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  39

uint8_t var1; /* local variable */

if (glob_var >=0)

{

/* ... */

}

else

var1 = glob_var;

uint8_t var2; /* other local variable declared in the middle of a block */

/* ... */

}

uint8_t glob_var2; /* other global variable declared between two functions */

void main( void)

{

uint8_t x = fonc ();

/* ... */

}

Good example

              

      

#include <stdint .h>

uint8_t glob_var; /* global variable declared together */

uint8_t glob_var2;

uint8_t fonc(void)

{

uint8_t var1; /* local variables declared together at the beginning of the

function */

uint8_t var2;

if (glob_var >= 0)

{

/* ... */

}

else

{

var1 = glob_var;

}

/* ... */

}

void main( void)

{

uint8_t x = fonc ();

/* ... */

}

6.3 Declaration of constants

           literals    

                 

    

RULE

RULE — Do not use hard-coded values

          

                 

                 

   const        

40  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

              

  

GOOD

PRACTICE

GOOD PRACTICE — Centralise the declaration of constants at the beginning

of the le

               



        

RULE

RULE — Declare constants in upper case

            #define

RULE

RULE — Constants that do not require type checking are declared with the

#define preprocessing directive

RULE

RULE — Constants requiring explicit type checking must be declared with

the keyword const

RULE

RULE — Constant values must be associated with a sufx depending on

the type

            

  U         

   long  long long       L  LL 

      l  ll      

    1

       double    f   

  d     

Warning

      int      

double 

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  41

RULE

RULE — The size of the type associated with a constant expression must

be sufcient to contain it

              

   

                

           

RECO

RECOMMENDATION — Prohibit octal constants

       

Bad example

           

             

 

#define octal_const 075 /* octal base numerical constant and name in lower case */

const int64_t b = 0l; /* l and not L, and constant naming problem */

uint8_t buffer [0x82]; /* constant not declared and type check needed for this

constant */

int16_t i;

for(i = 0; i < 0x82; i++) { /* hard -coded value */

...

}

printf (" Message \012"); /* octal base escape sequence \012 = \n */

Good example

           

  

const uint32_t INIT_VALUE = 0 x1294U; /* declared constant and with the necessary

type check */

#define BUFFER_SIZE 0 x82U /* declared constant with type check not necessary */

const int64_t B = 0L; /* correction of the suffix and specific naming of the

constant */

uint8_t buffer[BUFFER_SIZE];

uint16_t i;

for(i = 0; i < BUFFER_SIZE; i++) {

...

}

6.3.1 References

                

   

42  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

        

    u  U           

   

      l        

                 

    

             



 

    L  l     

     

           

              

       

         

         

      

          

       

      

    

6.4 Limited use of global variables

               

              

                

                

           g_ etc.

                  

             

       

RULE

RULE — Limit global variables to what is strictly necessary

             

       

Bad example

             

static uint32_t g_state;

void foo( void ) {

...

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  43

g_state = 1;

}

void bar( void ) {

...

g_state = 2;

}

int main(int argc , char * argv []) {

foo();

bar();

...

}

Good example

           state  

          

void foo( uint32_t* state) {

...

(* state) = 1;

}

void bar( uint32_t* state) {

...

(* state) = 2;

}

int main(int argc , char * argv []) {

uint32_t state = 0;

foo(& state);

bar(& state);

...

}

6.4.1 References

      

        

         

 

                 

 

6.5 Use of the static keyword

               static 

               

 static              

      static       

                 

  

44  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

                  

       static        

                

            

RULE

RULE — Systematically use the static specier for declarations

 static           

            

6.5.1 References

              



      

               

     

               

     

6.6 Use of the volatile keyword

 volatile             

                 

            



RULE

RULE — Only variables that can be modied outside the implementation

should be declared volatile

         

     volatile      



             volatile 

  volatile 

RULE

RULE — Only volatile-qualied pointers can access volatile

variables

6.6.1 References

       

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  45

          

            

        

               

    

      

   

6.7 Implicit type declaration is prohibited

                

                 

typedef

Information

      -Wimplicit-int    

   int

RULE

RULE — No type omission is accepted when declaring a variable

         

  K&R



      

int foo(a,p)

int a;

char *p;

{ ...

}

               

            

Bad example

        

...

const ACONST = 42; /* prohibited : type of constant not explicitly defined (

implicite int) */

unsigned e; /* prohibited : type of e not explicitly defined ( implicit unsigned int )

signed f; /* prohibited : type of constant not explicitly defined

(implicit signed int) */

...

int foo(char a, const b) /* prohibited : type of b not explicitly defined ( implicit

int) */

{

...

}

        

46  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

bar( char c, const int d) /* prohibited : type of return of the function not

explicitly defined ( implicit int) */

{

}

Good example

    

...

const int ACONST = 42;

unsigned int e;

signed int f;

...

int foo( unsigned char a, const int b)

{

...

}

int bar( unsigned char c, const int d)

{

...

}

6.7.1 References

       

       

6.8 Compound literals

Compound literals              

             

        compound literal     

           

              

              

RECO

RECOMMENDATION — Limit the use of compound literals

      compound literals      

         

Bad example

#include <stdio .h>

#include <stdint .h>

#define MAX 10

struct point {

uint8_t x,y;

};

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  47

int main( void )

{

uint8_t i;

struct point *tab[MAX];

for (i = 0; i < MAX; i++){

tab[i] = &( struct point){i ,2*i};

}

for (i = 0; i < MAX; i++){

printf ("%d\n", tab[i]->x); /* undefined behaviour because the compound literal

defined in the previous loop does not exist anymore */

}

...

}

Good example

#include <stdio .h>

#include <stdint .h>

struct point {

uint8_t x,y;

};

#define MAX 10

int main( void )

{

uint8_t i;

struct point tab[MAX];

for (i = 0; i < MAX; i++){

tab[i] = ( struct point){i, 2*i};

}

for (i = 0; i < MAX; i++){

printf ("%d\n", tab[i].x);

}

...

}

6.8.1 References

        

        

         

6.9 Enumerations

                 

                    

               

               

               

                

    

48  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RULE

RULE — Do not mix explicit and implicit constants in an enumeration

              

   

                  

      

           

      

enum {

ZERO ,

ONE

};

   

const int ZERO =0;

const int ONE =1;

                 



RULE

RULE — Do not use anonymous enumerations

Bad example

enum une_enum {

enum1 =1,

enum2 ,

enum3 ,

enum4 =3 /* enum4 et enum3 ont la même valeur */

};

Good example

          

enum une_enum {

ENUM1 =0,

ENUM2 =1,

ENUM3 =2,

ENUM4 =3

};

6.9.1 References

            

  

         

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  49

6.10 Initialising variables before use

                  

      

Information

           

              

           

                  

       

RECO

RECOMMENDATION — Variables should be initialised at or immediately

after declaration

           

       

Information

           

-Wuninitialized          

              

         

Bad example

           

/* declarations in the body of a function */

uint32_t a;

uint32_t b;

uint32_t c;

a = b + c; /* variables are used but without initialisation */

Good example

            

     

/* declarations in the body of the function */

uint32_t a = 0;

uint32_t b = 0;

uint32_t c = 0;

a = b + c;

6.10.1 References

50  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

               

    

       

     

        

     

    

6.11 Initialisation of structured variables

            

               



RULE

RULE — Use only one initialisation syntax for structured variables

            

  

Bad example

int tab[10] = { 0, [4] = 3, 5, 6, [1] = 1, 2 };

struct type_t o = { .a = 10, 0, "bob" };

Good example

int tab[10] = { 0, 1, 2, 3, 5, 6, 0, 0, 0, 0 };

struct type_t o = { 10, 0, "bob" };

struct type_t p = { .a = 10, .b = 0, .c ="bob" };

         

int tab[N] = {0};

une_structure st = {0};

    all         

Warning

         

int tab[N] = {1}; /* does not mean that all the elements are 1, but that all are at

zero and only the first element is 1 */

             i.e. 

          

              

 

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  51

              

               

    

RULE

RULE — Structured variables must not be initialised without specifying the

initialisation value and each eld/element of the structured variable must

be initialised

          

        

 {0}             

    

Bad example

            

          



int32_t y[5] = {1, 2, 3}; /* the initialisation is misleading here - in reality ,

the last two elements are initialised at zero */

int32_t z[2] = {1, 2, 3}; /* as above - in reality the value 3 is ignored */

int16_t vv [5] = { [0] = -2, [1] = -9, [3] = -8, [2] = 18 }; /* source of error , the

indexes 2 and 3 are not in increasing order and 4 is forgotten */

struct person {

unsigned char name [20];

uint16_t roll;

float marks;

int grades [10];

};

struct person p1 = {" ", 0}; /* obscure */

struct person p2 = {"toto" ,67 ,78.3,{0},12}; /* everything is correctly initialised ,

including

all the elements of the array grades which are set to 0, but 12 is ignored */

Good example

           

    

int32_t y[5] = { 1, 2, 3, 4, 5 }; /* full initialisation */

int32_t z[2] = { 1, 2 }; /* no superfluous elements */

int32_t w[3] = { 0 }; /* accepted notation to initialise all elements with the

value 0 */

int16_t vv [5] = { [0] = -2, [1] = -9, [2] = 18, [3] = -8, [4] = 33 }; /* ok */

struct person {

unsigned char name [20];

uint16_t roll;

float marks;

int grades [10];

};

struct person p1 = { .name = "titi ", .roll = 12, . marks = 10.0f, . note = {0}};

/* all elements are explicitly initialised */

52  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

struct person p2 = { .name="toto", . roll =67, . marks =78.3 , .grades ={0}}; /* another

example of recognised initialisation , this time without superfluous elements

6.11.1 References

              

        

              

               

     

              



     

6.12 Mandatory use of declarations

               

                  

    

Information

       -Wunused-variable 

-Wunused-parameter         

RECO

RECOMMENDATION — Every declaration must be used

           

   

Warning

            

              

Bad example

           

uint32_t init_list(list_t** pp_list ) {

list_t * p_list = NULL ;

list_element_t * p_element = NULL;

uint32_t ui32_list_len = 0;

if (NULL == pp_list) {

return 0;

}

(* pp_list) = (list_t *)malloc( sizeof (list_t));

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  53

if (NULL == (* pp_list)) {

return 0;

}

(* pp_list)->p_head = NULL;

(* pp_list)->p_tail = NULL;

return 1;

}

Good example

        

uint32_t init_list(list_t** pp_list ) {

if (NULL == pp_list) {

return 0;

}

(* pp_list) = (list_t *)malloc( sizeof (list_t));

if (NULL == (* pp_list)) {

return 0;

}

(* pp_list)->p_head = NULL;

(* pp_list)->p_tail = NULL;

return 1;

}

6.12.1 References

        

          

          

          

          

          

       

       

              

6.13 Naming of variables for sensitive data

               

            

    

RULE

RULE — Use separate variables for sensitive data and non-sensitive data

54  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

             

   

RULE

RULE — Use different variables for sensitive data that are protected in

condentiality and/or integrity than the ones used for unprotected sensitive

data

              

        

             

  etc.  

RULE

RULE — Never hard-code sensitive data

Bad example

        

#define KEY_SIZE 32U

#define BUFFER_SIZE 512U

size_t key_len = 0;

size_t clear_data1_len = 0;

size_t encrypted_data2_len = 0;

uint8_t key[KEY_SIZE];

uint8_t data1 [ BUFFER_SIZE ];

uint8_t data2 [ BUFFER_SIZE ];

uint32_t error_code = 0;

error_code = cipher_data(clear_data , clear_data_len , key , key_len ,

encrypted_data , encrypted_data_len );

Good example

              

       

#define KEY_SIZE 32U

#define BUFFER_SIZE 512U

/* conventions :

suffix s for sensitive data variables‘’

clear prefix for unencrypted data‘’

encrypted prefix for encrypted data */

size_t encrypted_key_len_s = 0;

size_t clear_data_len_s = 0;

size_t encrypted_data_len_s = 0;

uint8_t encrypted_key_s[KEY_SIZE ];

uint8_t clear_data_s[BUFFER_SIZE ];

uint8_t encrypted_data_s[BUFFER_SIZE ];

uint32_t encrypted_error_code_s = 0;

encryptederrorCode = cipher_data(clear_data_s , clear_data_len_s ,

encrypted_key_s , encrypted_key_len_s , encrypted_data_s , encrypted_data_len_s);

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  55

6.13.1 References

 

      

       

     

     

56  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Types and type conversions

7.1 Explicit size for integers

Warning

               

  int              

   

int

              

               



                 

         

                

  stdint.h             int   

               

          

RECO

RECOMMENDATION — Only integer types with an explicit size and sign

should be used

   char              

              



RULE

RULE — Only signed char and unsigned char types must be

used to handle numeric values

Bad example

#define MAXUINT16 65535U

int value;

char c = 35; /* sign is not specified */

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  57

if (value >= MAXUINT16)

{

/* depending on the architecture */

}

Good example

#include <stdint .h> /* if C99 */

#define MAXUINT16 65535U

unsigned char c = 35U; /* sign is explicit , for numeric value manipulation */

...

uint32_t value ; /* if C99 */

typedef unsigned char uint8_t; /* type definition in C90 */

if (value >= MAXUINT16)

{

/* ... */

}

7.1.1 References

           

                 

         

              

       

       

   typedef            

  

          

             

      

        

   

7.2 Type alias

 typedef              typedef

                  

              

               

  strong type checking          

    

RECO

RECOMMENDATION — Do not redene type aliases

58  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Bad example

          

typedef unsigned short uint16_t; /* definition of type uint16_t */

typedef unsigned short uint16_type; /* type uint16_type is an alias of type

uint16_t */

typedef uint16_t unsigned_short ; /* type unsigned_short is a redefinition of type

uint16_t */

Good example

      i.e.     stdint.h  

             

typedef unsigned short uint16_t; /* definition of type uint16_t */

7.2.1 References

          

7.3 Type conversions

             

             

              

              

                   etc.

         

    integer promotion           

int              

  etc.         

 int  unsigned int

    type balancing          

             

      

Information

             

          

         

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  59

RULE

RULE — Detailed and precise understanding of the conversion rules

            

 

               

                



RULE

RULE — Explicit conversions between signed and unsigned types

        

   

Bad example

signed int v1 = -1;

unsigned int v2 = 1;

if (v1 < v2)

{

/* v1 converted to unsigned int and value -1 becomes UINT_MAX , therefore the if

condition is always false */

}

Good example

signed int v1 = -1;

unsigned int v2 = 1;

if (v1 < (signed int)v2)

{

/* v2 is explicitly converted to a signed integer - the condition is true */

}

               

            

Bad example

      

uint32_t u32;

int32_t s32;

uint16_t u16;

double dbl;

uint8_t idx;

s32 = 42;

u32 = s32; /* implicit conversion */

u16 = u32 + 2 * s32; /* implicit conversion to a smaller type */

dbl = u32 / u16; /* the result is 0 ( integer division ) */

s32 = dbl; /* implicit conversion float -> integer */

/* the following loop is infinite: idx being unsigned , idx >= 0 is always true

since an unsigned value cannot be negative */

for(idx = 27; idx >= 0; idx --) {

...

}

60  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Tolerated example

             

           

   

uint32_t u32;

int32_t s32;

uint16_t u16;

double dbl;

uint8_t idx;

s32 = 42;

u32 = (uint32_t)s32;

u16 = (uint16_t)(( int32_t )u32 + 2 * s32);

dbl = ( double)u16 / (double )u32;

/* the signed integer cast is used to avoid an infinite loop */

for(idx = 27; ( int8_t)idx >= 0; idx --) {

...

}

Good example

int32_t s32;

uint16_t u16;

double dbl;

uint8_t idx;

s32 = 42;

u32 = (uint32_t)s32;

u16 = (uint16_t)(( int32_t )u32 + 2 * s32);

dbl = ( double)u16 / (double )u32;

/* change of the loop */

idx=27;

while (idx >0)

{

...

}

Information

-Wconversion  -Wsign-conversion       

     

7.3.1 References

         

       

               



                

  

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  61

                 

             



                

      

      

          

              

             

              

 

            

   

     

    

    

      

      

              

    

7.4 Type conversion of pointers to structured variables of

different types

               

                

              



            



RECO

RECOMMENDATION — Do not use pointer type conversion on types struc-

tured differently

Bad example

            

#define TAB_SIZE 16U

typedef struct {

int32_t magic;

} s_a;

typedef struct {

62  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

int32_t magic;

int16_t s;

uint8_t x[TAB_SIZE ];

} s_b;

void foo(s_a* structa) {

s_b* p = (s_b *)structa; /* type conversion to be excluded */

p->magic = 0 xBAADCAFE;

p->s = 0xDEAD; /* overflow outside of the structure s_a */

p->x[0] = 4; /* and risk of overwritten data (buffer overflow) */

}

Good example

           

#define TAB_SIZE 16U

typedef struct {

int32_t magic;

} s_a;

typedef struct {

s_a h;

int16_t s;

uint8_t x[TAB_SIZE ];

} s_b;

void foo(s_b* structb) {

structb ->h.magic = 0xCAFEBABE ;

structb ->s = 0 xBEEF;

structb ->x [0] = 4;

}

7.4.1 References

             

    

                 

    

   

            

      

          

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  63

Pointers and arrays

              

             

    

8.1 Standardised access to the elements of an array

               

                  



    

int32_t tab1 [6];

int32_t * tab2 = malloc(6 * sizeof(int32_t ));

int32_t * tab3 = tab1;

int32_t * tab4 = tab2;

printf ("tab1: %p, %p, %p\n", tab1 , &tab1 [0], &tab1);

printf ("tab2: %p, %p, %p\n", tab2 , &tab2 [0], &tab2);

printf ("tab3: %p, %p, %p\n", tab3 , &tab3 [0], &tab3);

printf ("tab4: %p, %p, %p\n", tab4 , &tab4 [0], &tab4);

     

tab1 : 1559248928 , 1559248928 , 1559248928 /* tab1 =&tab1 [0]=& tab1 all represent the address of

the first element in the array */

tab2 : 911295072 , 911295072 , 1559248904 /* &tab2 is the address of the pointer returned by

malloc , pointing to the array , and tab2 (or & tab2 [0])

is the address of the first element of the array

tab2 */

tab3 : 1559248928 , 1559248928 , 1559248912 /* similar case to tab2 */

tab4 : 911295072 , 911295072 , 1559248920 /* similar case to tab2 */

               

         

      

int *var[N];

int (*var2)[N];

     N int     i.e.    N int  

          N int    

           expression    

               lvalue  

64  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

           sizeof _Alignof  &    

         

Expression

                a+b 

&a  

Lvalue

 lvalue            

         

      lvalue          

  

int tab[N];

tab = 0; // error

tab --; // error

              

        lvalue

Warning

   tab  tab  &tab[0]       

        &tab      

             

          tab      

         

n          tab1    

&tab            i.e.  

  

           tab  

            

 &tab            tab2 

 

          tab         

        

Warning

          

*(tab+i); /* usual notation 1 */

tab[i]; /* usual notation 2 */

*(i+tab); /* interchangeable array and index ! */

i[tab ]; /* interchangeable array and index ! */

             

            

             

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  65

      

              

                 

  

RULE

RULE — Access to the elements of an array will always be by designating

as the rst attribute the array and as the second attribute the index of the

element concerned

                

          

             

 []   

RECO

RECOMMENDATION — Access to elements in an array should be using

square brackets

             

      

Bad example

for (i = 0; i< size_tab; i++) {

*(i+tab) = i; /* the square brackets are not used and the index is in the first

position */

...

}

Good example

for (i = 0; i < size_tab; i++) {

tab[i] = i;

...

}

8.1.1 References

     

8.2 Non-use of VLAs

 



             

             

                  

  

66  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

              

                    

          

Information

 -Wvla           

RULE

RULE — Do not use VLAs

8.2.1 References

         

           

     

            

 

8.3 Explicit array size

                

               

     

RECO

RECOMMENDATION — Do not use an implicit size for arrays

              

Bad example

            

int32_t tab [] = { 1, 2, 3 }; /* array 3 elements , implicit size */

Good example

         

int32_t tab [3] = { 1, 2, 3 }; /* array of 3 elements , explicit size , with

initialisation */

int32_t tab2 [2] = { 2, 3 }; /* array of 2 éléments , explicit size , with

initialisation */

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  67

8.3.1 References

               



     

            

             

     

8.4 Systematic check for array overow

                

                  

          

RULE

RULE — Use unsigned integers for array sizes

RULE

RULE — Do not access an array element without checking the validity of

the used index

             

                  

                

  

Bad example

i++;

tab[i] = i; /* no overflow check */

Good example

for (i = 0; i < size_tab; i++){ /* size_tab is the number of elements in the array

tab[i] = i;

...

}

8.4.1 References

68  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

              

  

 

         

                



          

            

          

   

   

      

    

8.5 Do not dereference NULL pointers

  NULL            

              NULL

RULE

RULE — A NULL pointer must not be dereferenced

            

Bad example

             



void function(const unsigned char *input )

{

size_t size = strlen(input); /* the pointer may be NULL */

...

}

Good example

           

void function(const unsigned char *input )

{

if (NULL == input)

{

/* handling of the NULL pointer case */

}

else

{

size_t size = strlen(input);

/* ... */

}

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  69

8.5.1 References

       

     

    

  

  

8.6 Assignment to NULL of deallocated pointers

               

       dangling pointer

Dangling pointer

 dangling pointer            

  

                

                   

               

 use-aer-free      NULL       

                  

                

RULE

RULE — A pointer must be assigned to NULL after deallocation

       NULL     

   

Bad example

             

list_t *p_list = NULL;

p_list = create_list();

...

if(p_list != NULL ) {

free_list (p_list);

}

/* setting of p_list to NULL is missing */

Good example

          NULL   

      

list_t *p_list = NULL;

p_list = create_list();

...

if(p_list != NULL ) {

70  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

free_list (p_list);

p_list = NULL;

}

8.6.1 References

       

           

               

           

   

    

         

    

     

8.7 Use of the restrict type qualier



restrict

              

            restrict  restrict

               

                 

Alias

            

Warning

 restrict           

             

          

         restrict    

               

     restrict          



Warning

           

memcpy strcat strcpy etc.

            restrict     

               

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  71

       restrict        

restrict          

RULE

RULE — Do not use the restrict pointer qualier

 restrict            

i.e.             

           

Information

 -Wrestrict            restrict



Bad example

    restrict       

  

uint16_t * restrict ptdeb ;

uint16_t * restrict ptfin ;

uint16_t tab [12];

unsigned char * pt1;

unsigned char * pt2;

unsigned char c_str [] = "blabla ";

...

ptdeb = &tab[0];

ptfin = &tab[11];

ptdeb = ptfin; /* undefined behaviour */

...

pt1 = pt2 + 2;

memcpy (pt2 , pt1 , 3); /* undefined behaviour - restrict type memcpy parameters */

Good example

     restrict        

   

uint16_t * ptdeb; /* deletion of restrict qualifier */

uint16_t * ptfin; /* deletion of restrict qualifier */

uint16_t tab [12];

unsigned char * pt1;

unsigned char * pt2;

unsigned char c_str [] = "blabla ";

...

ptdeb = &tab[0];

ptfin = &tab[11];

ptdeb = ptfin; /* ok */

...

pt1 = pt2 + 2;

memmove (pt2 , pt1 , 3); /* change of function */

8.7.1 References

         

            

 

72  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

         

8.8 Limit on the number of pointer indirections

                

int32_t ***pppInt32           

   

RECO

RECOMMENDATION — The number of levels of pointer indirection should

be limited to two

            

Bad example

       

void function(int8_t *** arr_pt) /* 3 levels */

{

int8_t *** pt;

...

}

Good example

           

        

typedef int8_t * int8ptr_t;

void function(int8ptr_t ** arr_pt) /* reduction to two levels */

{

int8_t *pt_temp; /* temporary pointer */

int8ptr_t ** pt;

...

}

8.8.1 References

             

8.9 Give preference to the use of the indirection operator

                 

  ptr->field   (*ptr).field    

                

 (*ptr).field          

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  73

RECO

RECOMMENDATION — Give preference to the use of the indirection oper-

ator ->

   ->            



Bad example

            



(*list.p_head).pNext = NULL;

Good example

         

list .p_head ->pNext = NULL;

8.10 Pointer arithmetic

              

            

Pointer arithmetic

             

    

                  

              

  

RULE

RULE — Only incrementing or decrementing array pointers is authorised

          

        

  void*            

  void*             



RULE

RULE — No arithmetic on void* pointers is authorised

      void*     

                  

           

74  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RECO

RECOMMENDATION — Controlled pointer arithmetic on arrays

             

              

 

               

 

RULE

RULE — Subtraction and comparison between pointers in the same array

only

           

            

RECO

RECOMMENDATION — A xed address should not be assigned directly to

a pointer

Bad example

#include <stddef .h>

#include <stdint .h>

void function(int8_t * ptr_param )

{

int8_t tab1 [10];

int8_t tab2 [100];

int8_t *pt1 =& tab1 [0];

int8_t *pt2 =& tab2 [0];

ptr_param ++; /* it is not known whether ptr_param points to an array ... */

pt1++; /* pt1 points to the next element of tab1 */

ptr_param = pt1 + pt2; /* illegal memory access */

if (pt2 >= 15) /* not relevant */

{

/* ... */

}

uint8_t nb_elem = pt2 - pt1; /* the two pointers are not on the same array and

the type is not adapted */

...

}

Good example

#include <stddef .h>

#include <stdint .h>

void function(int8_t * ptr_param )

{

int8_t tab1 [10];

int8_t tab2 [100];

int8_t *pt1 = &tab1 [0];

int8_t *pt2 = &tab2 [0];

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  75

pt1++; /* pt1 points to the next element of tab1 */

pt2 = pt2 + 3; /* pt2 points to tab2 [3] */

pt1 = pt1 + 8; /* pt1 points to the last elements of tab1 */

if (pt1 >= tab1 ) /* same array ok */

{

/* ... */

}

ptrdiff_t nb_elem = pt2 - tab2 ; /* both pointers are on the same array and

dedicated type used (taken from stddef .h) */

...

}

8.10.1 References

              

        

             

    

               

       

                  



                 

                

             

        

              

         

        

    

         

         

     

     

76  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Structures and unions

9.1 Declaration of structures

                 

     etc.       

                

                

                 

       

RULE

RULE — A structure must be used to group data representing the same

entity

       

Information

               

    

Bad example

             

  

void rectangle (float x0, float y0, float x1 , float y1 , float x2 ,

float y2 , float x3 , float y3);

void pyramide(float* coords); /* coords is an array */

Good example

         

 

typedef struct point_s {

float x;

float y;

} Point_t;

typedef struct rectangle_s {

point_t xy0;

point_t xy1;

point_t xy2;

point_t xy3;

} rectangle_t;

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  77

typedef struct pyramid_s {

rectangle_t base;

point_t top;

} pyramid_t;

void rectangle (rectangle_t* rect);

void pyramid( pyramid_t* pyra);

9.2 Size of a structure

                    

                

                 

                    

      

RULE

100

RULE — Do not calculate the size of a structure as the sum of the size of

its elds

                

     

Bad example

#define SIZE_TABL 100

...

typedef struct {

int tabl[ SIZE_TABL ];

size_t size;

} my_struct;

...

size_t sizestruct = sizeof (my_struct. tabl)+sizeof ( my_struct.size);

/* assumes that the size of the structure is the sum of the size of the elements */

...

Good example

#define SIZE_TABL 100

...

typedef struct {

int tabl[ SIZE_TABL ];

size_t size;

} my_struct;

...

size_t sizestruct = sizeof ( my_struct); /* good size */

...

Warning

       packed      

78  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

9.2.1 References

      

                  

             

9.3 bit-eld

                   

         bit-eld     

int           int      

              

RULE

101

RULE — All bit-elds must be explicitly declared as unsigned

          

          

RULE

102

RULE — Do not make assumptions about the internal representation of

structures with bit-elds

Bad example

typedef struct structure {

int ok: 1; /* bit -field of size 1 */

int value: 7; /* bit - field for which the sign depends on the compiler used */

} struct_bitfield;

struct_bitfield s;

int *pt_s;

pt_s =(int *) &s;

s.ok =1;

if(s.ok ==1) /* if compiled with gcc for example , by default the bit - fields are

signed , therefore being of size 1, s.ok equals 0 or -1 ! */

{

pt_s ++; /* ? */

*pt_s =100; /* ? */

}

Good example

typedef struct structure {

unsigned int ok: 1; /* unsigned bit - field */

unsigned int value : 7; /* unsigned bit - field */

} struct_bitfield;

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  79

struct_bitfield s;

s.ok =1;

if(s.ok ==1) /* no longer compiler dependent */

{

s.value =100;

}

9.3.1 References

             

                 

 

            

     

9.4 Use of FAMs





              

              

                 

    

             

     

RULE

103

RULE — Do not use FAMs

9.4.1 References

         

           

            

9.5 Do not use unions

                

                

               

   

80  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RECO

104

RECOMMENDATION — Do not use unions

             

                  

                 

   

9.5.1 References

         

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  81

Expressions

10.1 Integer expressions

         

                  

             

RULE

105

RULE — Remove all possible value overows for signed integers

RECO

106

RECOMMENDATION — Detect all possible value wraps for unsigned inte-

gers

Bad example

       

#include <stdint .h>

void f( uint8_t i, int8_t j)

{

uint8_t ibis = i+ 2;

int8_t j_bis = j +3;

/* ... */

}

Good example

      

#include <stdint .h>

void f( uint8_t i, int8_t j)

{

uint8_t ibis;

int8_t j_bis;

if (i > (UINT8_MAX - 2))

{

/* error */

}

else

{

ibis =i+2;

82  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

}

if (j > (INT8_MAX - 3))

{

/* error */

}

else

{

jbis =j+3;

}

/* ... */

}

           

RULE

107

RULE — Detect and remove any potential division by zero

             



Bad example

             

#include <stdint .h>

void func( int8_t i, int8_t j)

{

int8_t result;

result = i / j;

...

}

Good example

             

#include <stdint .h>

void func( int8_t i, int8_t j)

{

int8_t result;

if (0 == j)

{

/* error */

}

else

{

result = i / j;

}

...

}

10.1.1 References

          

             



          

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  83

           % 

 

           

     

   

    

    

10.2 Readability of arithmetic operations

               

             



               

 etc.           

     n       2

       

  

a << b;

       a ∗ 2

        

               

          cf.       

               

RECO

108

RECOMMENDATION — Arithmetic operations should be written in a way

that assists with readability

            

     

Bad example

          

     

/* In the following calculation , we want to calculate a² + 4 ac + b² */

uint64_t res;

uint32_t a, b, c;

res = a * a + ((a * c) << 2) + b * b; /* an explanation would be welcome */

/* a<<b is equalivaent to a* 2^b but here the bit shift is used for a

multiplication */

...

/* mask computation */

uint32_t bitfield = 0xCAFEBABE ;

uint32_t n, bitmask;

n = 4;

bitmask = 1;

for(n = n; n > 0; n--) {

bitmask = 2 * bitmask ;

} /* on the contrary here , the bit shift would have been more logical */

84  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

bitfield = bitfield & (~ bitmask);

Good example

        

/* computation of a² + 4 ac + b² */

uint64_t res;

uint32_t a;

uint32_t b;

uint32_t c;

res = (a * a) + (4 * (a * c)) + (b * b); /* plus clair */

...

/* mask computation */

uint32_t bitfield = 0xCAFEBABE ;

uint32_t n = 4;

uint32_t bitmask

bitmask = 2 << n; /* bits handling */

bitfield = bitfield & (~ bitmask);

10.2.1 References

            

10.3 Use of parentheses to make explicit the order of the

operators

               

              



               

             

Information

           

RULE

109

RULE — Explanation of the order of evaluation of calculations through the

use of parentheses

            

           

10.3.1 References

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  85

                

    

            

                

    

          &&  ||    

  

     

10.4 No multiple comparison of variables without

parentheses

                   

                 

     (0<=x<=n)    i.e. 0<=x    

                  

               (0<=x<=n)  

   ((0<=x)<=n)    ((0<=x)&&(x<=n))

      if(a==b==c)        

                 

               

    c    a  b  

Boolean expression

               

        stdbool.h   

             

              

           

              

             

     

           

              

RECO

110

RECOMMENDATION — Avoid expressions of comparison or multiple equal-

ity

86  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RULE

111

RULE — Always use parentheses in expressions of comparison or multiple

equality

           

    

Bad example

#define N 100

...

if (0 <= x <= N) {

/* statement 1 ALWAYS executed */

} else {

/* statement 2 NEVER executed */

}

...

if (30 < x < 40) {

printf ("pb"); /* ALWAYS executed */

}

...

Good example

#define N 100

...

if ((0 <= x) && (x <= N)) { /* case 1 : breakdown into 2 relational expressions */

/* statement 1 */

} else {

/* statement 2 */

}

...

if (30 < x) { /* case 2 : breakdown into 2 nested conditional statements */

if (x<40) {

printf ("pb");

...

}}

10.4.1 References

            

            

        

            

     

10.5 Parentheses around elements of a boolean expression

             

             

         

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  87

RULE

112

RULE — Parentheses around the elements of a boolean expression

            

          

Bad example

             

             

if (x > 0 && y * z > length ) {

...

}

u = z > 100 && 100 == x || x + y < z;

Good example

              

  

if ((x > 0) && ((y * z) > length)) {

...

}

u = (z > 100) && ((100 == x) || ((x + y) < z));

10.5.1 References

        

     

10.6 Implicit comparison with 0 prohibited

                

                

              

           

    

     

RULE

113

RULE — Implicit comparison with 0 prohibited

            

         

88  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RECO

114

RECOMMENDATION — Using the bool type in C99

   bool  _Bool         

      bool       

Bad example

             

 

#define MAX 10

uint8 z;

while (x) {

...

}

if (x < y) {

...

} else {

...

}

if (!z) { /* implicit comparison with 0 and z should be of the bool type */

...

}

if (ptr) {

...

}

for (x = MAX; x; x--) {

...

}

Good example

           

   

#include <stdbool .h>

bool z; /* use of the bool type */

while (x > 0) {

...

}

if (x < y) {

...

} else {

...

}

if (FALSE== z) { /* constant on the left and explicit comparison of z; z being of

the bool type , if (! z) can be used */

...

}

if (NULL != ptr) {

...

}

for (x = MAX; x > 0; x--) {

...

}

10.6.1 References

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  89

             

10.7 Bitwise operators

             

       

RECO

115

RECOMMENDATION — Bitwise operators must be used with unsigned

operands only

      & |  ^       

          && ||  !      

              

               



RULE

116

RULE — No bitwise operator on an operand of type boolean or similar

Bad example

if ((var >= 0) & (var < 120)) { /* operator confusion */

...

if ((val && FLAG) != 0) /* operator confusion ? */

...

}

Good example

if ((var >= 0) && (var < 120)) { /* correction */

...

if ((val & FLAG) != 0) /* correct use here of the bitwise operator

in a boolean expression */

...

}

10.7.1 References

         

   

                  

        

90  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

   

           

     

10.8 Boolean assignment and expression

                

             

   =     ==

GOOD

PRACTICE

117

GOOD PRACTICE — Do not use the value returned during an assignment

Information

        -Wall etc.   

            

  -Wparentheses 

RULE

118

RULE — Assignment prohibited in a boolean expression

            

     

            =     

  ==             

            ==    

                 



GOOD

PRACTICE

119

GOOD PRACTICE — Comparison with constant operand on the left

             

      

Information

            

           -Wall  

              

        

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  91

Bad example

           

        

if ((x = y + z) > 0) { /* assignment in a Boolean expression and use of the value

returned by the assignment and constant on the right */

...

}

if (z = VALUE) { /* constant on the right and = instead of == */

...

}

Good example

           

    

x = y + z;

if (0 < x) {

...

}

if (VALUE == z) {

...

}

10.8.1 References

            

         

      

     

     

     

10.9 Multiple assignment of variables prohibited

                

        

             

            

  

RULE

120

RULE — Multiple assignment of variables prohibited

      

92  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Bad example

      

...

a = b = c = d = 1; /* multiple assignment */

Good example

       

...

a = 1;

b = 1;

c = 1;

d = 1;

10.10 Only one statement per line of code

                  

           

               

                  

 

                 

 

RULE

121

RULE — Only one statement per line of code

Bad example

         

int32_t a; int64_t b;

a = 4; b = a / 6; printf("a = %d, b = %lld\n", a, b);

Good example

int32_t a;

int64_t b;

a = 4;

b = a / 6;

printf ("a = %d, b = %lld\n", a, b);

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  93

10.11 Use of oating-point numbers

Information

           



               

              

          

             

   absorption



 cancellation



       

                

          

   

              

       

              

  etc.

               

            

                

    

GOOD

PRACTICE

122

GOOD PRACTICE — Avoid oating constants

              

           

         

RECO

123

RECOMMENDATION — Limit the use of oating-point numbers to what is

strictly necessary

       

                

  

          LargeF loatV alue + F loatingEpsilon = LargeF loatV alue i.e.  

       

                 

  F loatV alue1 − F loatV alue2 = 0   F loatV alue1 ̸= F loatV alue2

94  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RULE

124

RULE — No oat type loop counter

             

  

               

              != 

==                 

     

RULE

125

RULE — Do not use oating-point numbers for comparisons of equality or

inequality

Bad example

float y = 0.1; /* not representable in simple precision */

...

if (y == 0.1) /* comparison of float value AND 0.1 double value so promotion of y

printf ("equal\n");

else

if (y == 0.1f) /* 0.1f float value - condition checked here */

printf ("equal2\n");

else printf(" not equal\n");

...

for (float x = 0.1f; x <= 1.0f; x += 0.1f) { /* the loop will be carried out 9 or

10 times */

}

Good example

double y = 0.1; /* type correction */

...

for (uint count = 1; count <= 10; count ++) {

float x = count /10.0f; /* 10 passes exactly in the loop */

}

10.11.1 References

           

          

           

        

        

           

       

        

       

    

      

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  95

   

10.12 Complex numbers

              

 double_Complex long double_Complex  float_Complex    

 complex.h       double complex long double complex 

float complex           double_Imaginary

long double_Imaginary  float_Imaginary    double imaginary long double imaginary

 float imaginary 

              

RECO

126

RECOMMENDATION — No use of complex numbers

        

96  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Conditional and iterative structures

11.1 Use of braces for conditionals and loops

                  

                  

                   

         

RULE

127

RULE — Systematic use of braces for conditionals and loops

              

           

Bad example

          

if (x == 0) /* braces are required , even for a single statement */

printf ("X = 0\n");

/* An indented statement under the printf may visually suggest that the statement

is within the if , but it is not. For a jump statement like "goto", this may

result in a significant portion of the code not being executed . */

if (x != 0) {

if (x < 0) {

...

while (x < 0) {

x++;

...

}

} else {

while (x > 0) {

x--;

...

}

/* example of ’Apples goto fail */

if (err = SSLHashSHA1.update (&hashCtx , &signedParams )) != 0)

goto fail;

/* other checks , but not reachable due to the duplicate goto fail

without braces */

fail :

/* cleaning and releasing of buffers */

return err;

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  97

Good example

          

if (0 == x) {

printf ("X = 0\n");

} else {

if (x < 0) {

...

while (x < 0) {

x++;

...

}

} else {

while (x > 0) {

x--;

...

}

/* example of goto fail - Apple */

if (err = SSLHashSHA1.update (&hashCtx , &signedParams )) != 0) {

goto fail;

}

/* other checks */

fail :

/* cleaning and releasing of buffers */

return err;

11.1.1 References

              



              

11.2 Correct construction and use of switch statements

 switch               

                 

              

      switch         

                 

        switch  

RULE

128

RULE — Systematic denition of a default case in switch

 switch-case        

RECO

129

RECOMMENDATION — Use of break in each case of switch state-

ments

   switch-case          

                



98  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Information

 -Wimplicit-fallthrough          



    case             

    case             

    case

RECO

130

RECOMMENDATION — No nesting of control structure in a

switch-case

            switch  



              switch

            switch-case

RULE

131

RULE — Do not insert statements before the rst label of a

switch-case

Bad example

      default   

switch (var) {

int i = 0; /* not authorized */

case VAL1:

...

break;

case VAL2:

...

case VAL3:

...

break;

/* absence of default and break and no comment to explain the case on the value

VAL2 */

}

Good example

           case   

               

    

int i = 0; /* displaced declaration and initialisation */

switch (var) {

case VAL1:

...

break;

case VAL2:

...

/* break voluntarily missing */

case VAL3:

...

break;

default :

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  99

...

}

11.2.1 References

        

              

       

          

          

           

            

               

      

                



      

        switch  

11.3 Correct construction of for loops

                 for 

               

    for            

for         for    

                 

                 

       for        

           

            

   for           

                 

      while (1) { ... }        for(;;) { ... }

RULE

132

RULE — Correct construction of for loops

    for         

  for             

       

Bad example

            

           for   for

     while() { ... }  do { ... } while () 

100  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

#define MAX_LOOP 10U

for (;;) {

data = read();

if (0 == data) {

break;

}

...

}

for (i = 0;;) { /* missing elements */

max = some_function(i);

i++;

if (i >= max) {

break;

}

...

for (i = 0, a = 0; i < MAX_LOOP; i++, a += 2) {

...

some_function (a);

...

}

Good example

           for   

             

    

#define MAX_LOOP 10U

for (i = 0; i < arraySize; i ++) {

...

dataArray [i] = some_function(i);

...

}

while (1) {

data = read();

if (0 == data) {

break;

}

...

}

i = 0;

do {

max = some_function(i);

i++;

}

while (i < max);

...

a = 0;

for (i = 0; i < MAX_LOOP; i++) {

...

some_function (a);

...

a += 2;

}

11.3.1 References

        



                  

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  101

11.4 Changing of a for loop counter forbidden in the body of

the loop

     for           

                

                  

             for 

                   

     for            

break      

RULE

133

RULE — Change to a counter of a for loop forbidden in the body of the

loop

    for           for 

Bad example

     for          

       

#define MAX_LOOP 10U

for (i = 0; i != MAX_LOOP; i ++) {

...

if (...) {

/* if the condition is met with i == 9, we end up in an infinite loop . */

i++;

}

...

}

Good example

                for



#define MAX_LOOP 10U

for (i = 0; i < MAX_LOOP; i++) {

...

if (some_function ()) {

break; /* loop stopped */

}

...

}

11.4.1 References

  

102  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  103

Jumps in the code

12.1 Do not use backward goto

     goto           

                 

              

       for while  do-while

RULE

134

RULE — No use of backward goto

       goto       

   goto 

Bad example

      goto    

            

      

#define BUFFER_SIZE 100U

void foo() {

uint8_t s[BUFFER_SIZE ];

uint8_t x = 0;

my_loop :

s[x] = x;

x++;

if(x < BUFFER_SIZE )

{

goto my_loop; /* backward goto prohibited */

}

Good example

              

 goto

#define BUFFER_SIZE 100U

void foo() {

uint8_t s[BUFFER_SIZE ];

uint8_t x = 0;

for(x = 0; x < BUFFER_SIZE; x++) {

s[x] = x;

}

104  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

12.1.1 References

         

12.2 Limited use of forward goto

 forward goto             

    forward goto         

             

              

           goto

 forward goto              

   

RECO

135

RECOMMENDATION — Limited use of forward goto

     goto        

           

       

     goto          



Good example

        goto      

    

#define BUFFER_LEN (128 U)

int32_t my_function (int32_t a) {

FILE * f = NULL;

uint8_t *buffer = NULL;

int32_t result = ERR_UNDEFINED ;

f = fopen("/my/path", "r");

if(NULL == f) {

result = ERR_FOPEN;

} else {

buffer = (uint8_t *) malloc(BUFFER_LEN * sizeof(uint8_t));

if(NULL == buffer ) {

result = ERR_MALLOC;

}

else

{

...

free (buffer);

buffer = NULL;

result = ERR_NOERROR;

}

fclose (f);

f = NULL;

}

return result;

}

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  105

Tolerated example

      goto     

 

int32_t my_function (int32_t a) {

FILE * f = NULL;

uint8_t *buffer = NULL;

int32_t result = ERR_UNDEFINED ;

f = fopen("/my/path", "r");

if(NULL == f) {

result = ERR_FOPEN;

goto cleanup;

}

buffer =( uint8_t *)malloc(BUFFER_LEN * sizeof ( uint8_t));

if(NULL == buffer ) {

result = ERR_MALLOC;

goto cleanup;

}

...

result = ERR_NOERROR;

cleanup :

if(NULL != f) {

fclose (f);

f = NULL;

}

if(NULL != buffer ) {

free (buffer);

buffer = NULL;

}

return result;

}

12.2.1 References

   

106  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Functions

13.1 Correct and consistent declaration and denition

Declaration/Prototype of function

       prototype       

               

   

Denition of function

           i.e.     

          

                 

               

              

             

                

Information

    -Wimplicit-function-declaration  -Wimplicit-int

 -Wreturn-type        i.e.    

         

RULE

136

RULE — Any (non-static) function dened must have a function declara-

tion/prototype

RULE

137

RULE — The prototype declaration of a function must be consistent with

its denition

              

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  107

RULE

138

RULE — Every function must have an explicit return type and parameter

list associated with it

            

      void        

         void  

              

         

Bad example

              

            

   

/* header .h */

foo( uint8_t a); /* the return type is missing */

uint32_t bar(uint16_t b);

void car(); /* void is missing in the parameter type to indicate that the

function does not take parameters */

/* file.c */

foo( uint8_t a) {

...

}

uint32_t bar(int32_t b) { /* after the declaration , b must be a uint16_t */

...

}

void car() {

...

}

Good example

          

/* header .h */

void foo( uint8_t a);

uint32_t bar(uint16_t b);

void car( void );

/* file.c */

void foo( uint8_t a) {

...

}

uint32_t bar(uint16_t b) {

...

}

void car( void ) {

...

}

13.1.1 References

       

            

                



         

108  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

             

        

          

           

       

       

             



      

13.2 Documentation of functions

             

              

               

Passing of parameter by value or copying

              

              

             

     

Passing of parameters by reference or pointer

              

              

             

     

RECO

139

RECOMMENDATION — Documentation of functions

      

         

           

         

      

                

        

RECO

140

RECOMMENDATION — Specify call conditions for each function

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  109

13.3 Validation of input parameters

               

         

     

    etc.

    etc.

               

RULE

141

RULE — The validity of all the parameters of a function must systematically

be questioned

 

           

      etc.

            

         cf.      

     

Bad example

           

double division(int32_t n, int32_t d) {

/* d != 0 not verified */

return (( double )n) / (( double)d);

}

Good example

 

            



double division(int32_t n, int32_t d) {

double res = 0.0;

if (0 == d) {

/* error handling */

}

else {

res = (( double)n) / (( double )d);

}

return res;

}

 

             



uint8_t encrypt(uint8_t *output , int32_t * output_len ,

const uint8_t *input , const int32_t input_len ,

encrypted_ctx *ctx) {

uint8_t err = 0;

110  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

if (( NULL == output ) || (NULL == output_len) || (NULL == encrypted_ctx)) {

err++; /* error handling */

}

if (( NULL == input ) || ( input_len <= 0) || (input_len > MAX_INPUT_LEN)) {

err++; /* error handling */

}

if (0 == err) {

/* API code */

}

return err;

}

13.3.1 References

          

       

      

           

         

    

       

       

        

      

13.4 Use of the qualier const for pointer-type function

parameters

            const 

                 

               

            

          const     

         

RULE

142

RULE — Pointer-type function parameters which point to memory that is

not to be changed must be declared as const

  const            

          const     

  

Bad example

     const   

uint32_t foo(uint32_t *val) {

/* val lue */

uint32_t ret = 0;

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  111

if(TEST_VALUE > *val) {

ret = (*val) * 2;

} else {

ret = (*val);

}

return ret;

}

Good example

    const        

              

uint32_t foo(const uint32_t *val) {

uint32_t ret = 0;

if (NULL != val){

if(TEST_VALUE > *val) {

ret = (*val) * 2;

} else {

ret = (*val);

}

return ret;

}

13.4.1 References

     

              

  

       

            

    

    

13.5 Using inline functions

    inline       inline   

              

    inline         

Information

 inline             



RULE

143

RULE — inline functions must be declared as static

     inline    static

112  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

13.5.1 References

             



     

13.6 Redening functions

                  

              

   

RULE

144

RULE — Do not redene functions or macros from the standard library or

another library

             

     

Bad example

              

      

/* do not reuse the name of the standard library */

void* malloc (size_t taille );

Good example

               

    

/* renaming of the function */

void* mymalloc (size_t taille );

13.6.1 References

             



             



13.7 Mandatory use of the return value of a function

       void          

              

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  113

               

          

                

           

     

RULE

145

RULE — The return value of a function must always be tested

            

Bad example

               

       

struct stat o_stat_buffer;

stat (" somefile.txt", & o_stat_buffer );

/* success of the stat function not tested */

...

Good example

            

struct stat o_stat_buffer;

uint8_t i_result = 0;

i_result = stat(" somefile.txt", &o_stat_buffer );

if (0 != i_result) {

/* erreur */

return 0;

}

...

13.7.1 References

         

              



               

    

       

        

13.8 Implicit return prohibited for non-void functions

                 void

               

      

114  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RULE

146

RULE — Implicit return prohibited for non-void type functions

    void      

Bad example

             

uint32_t encr_data(const uint8_t * p_data , uint32_t ui32_data_len ,

uint8_t ** pp_encrypted_data , uint32_t * ui32_encrypted_data_len)

{

uint8_t *p_encrypted_data = NULL;

if (NULL != p_data

&& NULL != pp_encrypted_data

&& NULL != ui32_encrypted_data_len) {

if (ui32_data_len > 0) {

p_encrypted_data = ( uint8_t *)calloc(ui32_data_len , sizeof ( uint8_t));

...

return 1;

}

/* implicit return */

}

Good example

           

uint32_t encr_data(const uint8_t * p_data , uint32_t ui32_data_len ,

uint8_t ** pp_encrypted_data , uint32_t * ui32_encrypted_data_len)

{

uint32_t ui32_result_code = 0;

uint8_t *p_encrypted_data = NULL;

if (NULL == p_data

|| NULL == pp_encrypted_data

|| NULL == ui32_encrypted_data_len) {

ui32_result_code = 0;

goto End;

}

if (0 == ui32_data_len) {

ui32_result_code = 0;

goto End;

}

p_encrypted_data = ( uint8_t *)calloc(ui32_data_len , sizeof ( uint8_t));

...

(* pp_encrypted_data ) = p_encrypted_data;

ui32_result_code = 1;

End:

return ui32_result_code ;

}

13.8.1 References

                

    

             

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  115

13.9 No passing by value of a structure as function

parameter

                 

               

      

              const

               const

              



RULE

147

RULE — Structures must be passed by reference to a function

           

Bad example

             

#define STR_SIZE 20U

typedef struct

{

unsigned char surname[STR_SIZE ];

unsigned char firstname[STR_SIZE];

} person_t;

uint32_t add_person (person_t person ) {

size_t sz_surname_len = 0;

size_t sz_firstname_len = 0;

sz_surname_len = strlen(person.surname);

sz_firstname_len = strlen(person.firstname);

if (0 != sz_surname_len && 0 != sz_firstname_len ) {

...

ui32_result = 1;

} else {

ui32_result = 0;

}

return ui32_result;

}

...

void some_function () {

person_t person;

...

add_person ( person);

...

}

Good example

           

#define STR_SIZE 20U

typedef struct

{

unsigned char surname[STR_SIZE ];

unsigned char firstname[STR_SIZE];

} person_t;

116  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

uint32_t add_person (const person_t *person ) {

uint32_t ui32_result = 0;

size_t sz_surname_len = 0;

size_t sz_firstname_len = 0;

if (NULL != person) {

sz_surname_len = strlen(person ->surname);

sz_firstname_len = strlen(person ->firstname);

if (0 != sz_surname_len && 0 != sz_firstname_len ) {

...

ui32_result = 1;

} else {

ui32_result = 0;

}

else {

ui32_result = 0;

}

return ui32_result;

}

void some_function () {

person_t person;

...

add_person (& person);

...

}

13.10 Passing an array as a parameter for a function

                 

                 

            []      

   

RECO

148

RECOMMENDATION — Passing of an array as a parameter for a function

               

            

          

Warning

             

           

        tab[][]   

           

Bad example

          

               

     

      

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  117

     

void func( int32_t *tab , uint32_t count);

Good example

             

        

void func( int32_t tab[], uint32_t count ); /* tab is an array of count elements */

13.11 Mandatory use in a function of all its parameters

                 

     

             

                 

          

             

    

             

              

RECO

149

RECOMMENDATION — Mandatory use in a function of all its parameters

               



Information

 -Wunused-parameter         

Bad example

              

  

uint32_t compute_data ( uint32_t ui32A , uint32_t ui32B , uint32_t ui32C) {

uint32_t ui32_result = 0;

ui32_result = 2 * ui32A + 2 * ui32B;

return ui32_result;

}

118  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Good example

             



uint32_t compute_data ( uint32_t ui32A , uint32_t ui32B) {

uint32_t ui32_result = 0;

ui32_result = 2 * ui32A + 2 * ui32B;

return ui32_result;

}

13.11.1 References

          

            

13.12 Variadic functions

  i.e.             

              

               

                

         

Information

 -Wformat=2          

      

 NULL       NULL         

                

   NULL              NULL

      NULL        

RULE

150

RULE — Do not call variadic functions with NULL as an argument

Bad example

...

unsigned char * string = NULL;

printf ("%s %d\n", string , 1); /* undefined behaviour */

...

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  119

Good example

...

unsigned char * string = NULL;

printf ("%s %d\n", ( string ? string : "null"), 1); /* not passing NULL */

...

13.12.1 References

    <stdarg.h>    

              

          

             

              

       

      

120  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Sensitive operators

14.1 Use of the comma prohibited for statement sequences

                  

                 

              

                

   

RULE

151

RULE — Use of the comma prohibited for statement sequences

        

             

  

   for    

Bad example

              

         

int32_t i = (j = 2, 1);

y = x ? (a++, a + 4) : c;

z = 3 * b + 2, 7 * c + 42;

a = (b = 2, c = 3, d = 4);

for(i = 0, j = SZ_MAX; i < SZ_MAX ; i++, j--) {

...

}

Good example

             

int32_t i, j;

i=1;

j=2;

if (0 != x) {

a++;

y = a + 4;

} else {

y = c;

}

z = 3 * b + 2;

j = SZ_MAX;

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  121

for(i = 0; i < SZ_MAX; i++) {

...

j--;

}

14.1.1 References

         

14.2 Using pre/postx ++ and -- operators and

compound assignment operators

   ++  --            

                 

                

              

 i.e. i++; ++j;           





     

RECO

152

RECOMMENDATION — The prex operators ++ and -- should not be used

       

         

RECO

153

RECOMMENDATION — No combined use of postx operators with other

operators

          



              

 >>= &= *= etc.

RECO

154

RECOMMENDATION — Avoid the use of combined assignment operators

Bad example

           

           

                 

122  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

#define TAB_SIZE 25U

...

uint32_t x;

uint8_t b[ TAB_SIZE] = { 0 };

uint16_t i = 0;

x = foo(i++, i); /* not specified: problem with the order of evaluation of the

parameters */

...

uint32_t foo(uint16_t a, uint16_t b) {

return a * b;

}

Good example

          

#define TAB_SIZE 25U

...

uint32_t x;

uint8_t b[ TAB_SIZE] = { 0 };

uint16_t i = 0;

i++; /* N.B. replacing this statement with ++i; would not change the behaviour of

the program in any way */

x = foo(i, i);

...

uint32_t foo(uint16_t a, uint16_t b) {

return a * b;

}

14.2.1 References

            

               

14.3 No nested use of the ternary operator “?:”

   ?:              



              

           

       if-else    

RULE

155

RULE — No nested use of the ternary operator ?:

     ?:  

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  123

               

           

RULE

156

RULE — Correct construction of the expressions with the ternary opera-

tor ?:

       ?:      

     

Bad example

            

               

y = (x <42) ? 1042 : (t> 0) ? -1042 : 0.0;

/* integer and float , therefore implicit cast */

Good example

     if-else       

            

if(x < 42) {

y = 1042;

} else {

if(t > 0) {

y = -1042;

} else {

y = 0;

}

14.3.1 References

124  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Memory management

15.1 Dynamic memory allocation

              

               

       sizeof           

                

RULE

157

RULE — Dynamically allocate sufcient memory space for the allocated

object

  ptr       ptr=malloc(sizeof(*ptr));  



            

RULE

158

RULE — Free dynamically-allocated memory as soon as possible

            



      

             

RULE

159

RULE — Sensitive memory areas must be reset before being freed

Warning

                

            

           

              

     memset      

              



RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  125

RULE

160

RULE — Do not free memory not allocated dynamically

 realloc            

                 

                

           

      

RULE

161

RULE — Do not change the dynamic allocation via realloc

Warning

    realloc   NULL      

      

Bad example

#include <stdlib .h>

void fonc( size_t len){

long *p;

p = ( long *) malloc(len * sizeof(int)); /* incorrect type */

...

p = ( long *) realloc(p,0) ; /* release of p via realloc */

...

free (p); /* double release of p */

}

Good example

#include <stdlib .h>

void fonc( size_t len){

long *p;

p = ( long *) malloc(len * sizeof(long )); /* corrected type */

...

free (p); /* realloc deleted and replaced by free */

}

15.1.1 References

                





          

       

        

            

         

126  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

      

            

   

                  

  

      

          

        

         

      

      

    

    

     

          

               

    

15.2 Use of the sizeof operator

 sizeof                 

               

      

                   

sizeof              

             sizeof   

                 

 

    pack

    

Warning

 pack    

             pack  

    

       sizeof(array)/sizeof(array[0])  

                  

       sizeof           

               sizeof 

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  127

                  

  

RULE

162

RULE — Correct use of the sizeof operator

    

sizeof

 

          

  

       

Warning

 sizeof               



Bad example

        sizeof 

uint8_t tab[LEN ];

typedef struct s_example {

uint32_t ui_field1;

uint8_t ui_field2;

} t_example;

int32_t i, isize;

t_exemple test;

t_exemple * ptr;

i = 5;

ptr = NULL;

isize = sizeof (i = 1234); /* the expression i= 1234 will not be processed */

/* i has the value 5, and not 1234. isize equals 4 */

isize = sizeof ( t_example); /* the value returned by sizeof is 8 for 32 - bit

alignment */

isize = sizeof (* ptr); /* the expression sizeof(* ptr) returns the size of the

structure t_example */

void crawl_tab(uint8_t tab [])

{

for (size_t i = 0; i < sizeof(tab) / sizeof (tab [0]); i++) /* tab is therefore a

pointer type parameter ! */

...

}

Tolerated example

             

          sizeof 

#pragma pack(push , 1) /* 1 byte alignment - NOT STANDARD - */

uint8_t tab[LEN ];

typedef struct s_example

{

uint32_t ui_field1 ;

uint8_t ui_field2 ;

} t_exemple;

#pragma pack(pop) /* return default alignment */

int32_t i;

size_t isize;

128  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

i = 5;

isize = sizeof ( int32_t);

i = 1234;

isize = sizeof ( t_example); /* the value returned by sizeof is 5 since the structure

was declared with a 1 byte alignment */

void crawl_tab(uint8_t tab[], size_t n) /* known array size */

{

for (size_t i = 0; i < n; i++) /* tab is therefore a pointer type parameter! */

...

}

15.2.1 References

              

               

                  

              

   

      

    sizeof()    

       

15.3 Mandatory verication of the success of a memory

allocation

                  

                

     

          NULL    

             NULL

              

        

RULE

163

RULE — Mandatory verication of the success of a memory allocation

         

                  

 

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  129

Bad example

          

point_t *p_point;

p_point = (point_t *)malloc ( sizeof(point_t ));

/* no check on function return */

p_point ->x = 0.0f;

p_point ->y = 0.0f;

Good example

             

  

point_t *p_point = NULL;

p_point = (point_T *)malloc ( sizeof(point_t ));

if (NULL != p_point) {

p_point ->x = 0.0f;

p_point ->y = 0.0f;

} else {

/* error handling */

}

15.4 Isolation of sensitive data

               

             

auxiliary channels





             

                 

    

               

    

Warning

             memset  

            

               

              

    

RULE

164

RULE — Sensitive data must be isolated

           i.e.  

           

   

          etc.

130  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Bad example

                

 

#define WORK_SIZE 32U

#include <stdlib .h>

void process( const uint8_t *key , uint16_t key_size , const uint8_t *init ,

uint16_t init_size) {

uint8_t buffer[WORK_SIZE ];

if ((NULL == key) || ( NULL == init)) {

/* error handling */

...

}

memcpy (buffer , key , min( key_size , WORK_SIZE));

print_key (buffer);

/* buffer contains 4 bytes of the initialisation vector and the last 12 bytes of

the key */

memcpy (buffer , init , min(init_size , WORK_SIZE ));

printIV (buffer);

...

/* no secure deletion */

}

Good example

            



#define KEY_SIZE 16U

#define IV_SIZE 4U

#include <stdlib .h>

void process( const uint8_t *key , uint16_t key_size , const uint8_t *init ,

uint16_t init_size) {

uint8_t my_key[KEY_SIZE ];

uint8_t iv[IV_SIZE ];

if ((NULL == key) || ( NULL == init)) {

/* error handling */

...

}

memcpy (my_key , key , min( key_size , KEY_SIZE));

print_key (my_key);

memcpy (iv , init , min(init_size , IV_SIZE ));

printIV (iv);

...

/* deletion of the buffers , so that the data does not remain on the stack

ATTENTION: the compiler can optimise and delete these calls , which may be

considered unnecessary.

It is therefore necessary to consult the compiler documentation in order for the

calls to be retained. */

memset (my_key , 0, KEY_SIZE);

memset (iv , 0, IV_SIZE);

}

15.4.1 References

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  131

              

132  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Error management

16.1 Correct use of errno

 errno       <errno.h>   int    

                 

  errno              

                

RULE

165

RULE — Initialise and view the value of errno before and after any exe-

cution of a standard library function that changes its value

Bad example

#include <stdlib .h>

void try1 (const unsigned char * len)

{

unsigned long res;

res = strtoul(len ,NULL ,5); /* conversion character string to unsigned long */

/* the function strtoul writes in errno */

if (res == ULONG_MAX)

{

/* problem management */

}

...

}

Good example

#include <stdlib .h>

#include <errno .h>

void try1 (const unsigned char * len)

{

unsigned long res;

errno = 0; /* init errno */

res = strtoul(len ,NULL ,5); /* conversion character string to unsigned long */

/* strtoul written in errno */

if (res == ULONG_MAX && errno != 0) /* errno reading */

{

/* problem management */

}

...

}

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  133

16.1.1 References

                

          

          

      

      

16.2 Systematic consideration of errors returned by

standard library functions

               

                  

        

RULE

166

RULE — All errors returned by standard library functions must be handled

              

     

                 

   

Bad example

#include <stdio .h>

#include <stdlib .h>

int main( void )

{

FILE *fp = fopen("myfile.txt", "w"); /* returned value not read */

fputs ("hello\n", fp);

...

}

Good example

#include <stdio .h>

#include <stdlib .h>

int main( void )

{

FILE *fp = fopen("myfile.txt", "w");

if (fp != NULL) {

fputs ("hello\n", fp);

...

}

134  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

16.2.1 References



        

       

              

       

    

       

    

        

       

16.3 Documentation and structuring of error codes

             

             

              

                 

          

RULE

167

RULE — Error code documentation

             

             

     

            

               

                 

               

    etc.

RECO

168

RECOMMENDATION — Structuring of return codes

              

       



 



 

n 

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  135

n etc.

16.3.1 References

           

16.4 Return code of a C program depending on whether it

executed successfully

                

               

                

     

    cmd.exe         ERRORLEVEL



n                  

        $?

                 

         

          

            

RULE

169

RULE — Return code of a C program according to the result of its execution

                

         

n            

          

               

    

            

Bad example

           

             

int main(int argc , char * argv []) {

if (argc != 2) {

/* incorrect number of arguments */

return -1; /* the return code will not be interpreted correctly on Linux */

}

...

return 0;

136  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

}

Good example

            

#define RESULT_OK (0U)

#define ARG_ERROR (2U)

int main(int argc , char * argv []) {

if (argc != 2) {

/* incorrect number of arguments */

return ARG_ERROR;

}

...

return RESULT_OK;

}

16.5 Ending of a C program following an error

                  

               

                

abort()    _Exit()            

        cleanly i.e.     

        etc.      

         main()      

RECO

170

RECOMMENDATION — Give preference to error returns via return codes in

the main function

       main()       

        

RULE

171

RULE — Do not use the abort() or _Exit() functions

 exit()              

               

         

RECO

172

RECOMMENDATION — Limit calls to exit()

   exit()         

             



RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  137

  setjmp()  longjump()     setjmp.h    

               

        

RULE

173

RULE — Do not use the setjmp() and longjump() functions

Bad example

#include <stdlib .h>

#include <stdio .h>

int read_file( void)

{

FILE *f = fopen("C:\\myfile.txt", "w");

if (NULL == f)

{

/* problem when opening file */

_Exit (12); /* not authorized */

}

fprintf (f, "%s", " blablabla");

...

abort (); /* not authorized */

...

return 0;

}

int main( void )

{

int val = read_file();

...

return 1;

}

Good example

#include <stdlib .h>

#include <stdio .h>

int read_file( void)

{

FILE *f = fopen("C:\\myfile.txt", "w");

if (NULL == f)

{

/* problem when opening file */

return 12; /* error code documented for this problem */

}

fprintf (f, "%s", " blablabla");

...

return 10; /* other documented error code */

...

return 0; /* no problem */

}

int main( void )

{

int val = read_file();

if (val == 0)

{ /* no problem in the function */

...

return 0;

}

else

{ /* error handling according to the error code */

...

return 1;

138  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

}

16.5.1 References

         

          

      

        

          abort _Exit  signal 

    

  signal     

        

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  139

Standard library

17.1 Prohibited standard library header les

              

   

setjmp.h

stdarg.h

               

  <stdarg.h>             

 va_start va_arg va_end    va_copy      

                 

              

                

    

RULE

174

RULE — Do not use the setjmp.h and stdarg.h standard libraries

17.1.1 References

          

             

              

          

       

      

          

 

140  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

17.2 Not recommended standard libraries

             float.h complex.h

fenv.h  math.h

RECO

175

RECOMMENDATION — Limit the use of standard libraries handling oating-

point numbers

   float.h complex.h fenv.h  math.h    

         

17.2.1 References

          

          

           

       

   

17.3 Prohibited standard library functions

        atoi() atol() atof()  atoll() 

  stdlib.h            

 strto*()                

 

RULE

176

RULE — Do not use the functions atoi(), atol(), atof()

and atoll() from the library stdlib.h

  strto*()    

 rand()            

         

RULE

177

RULE — Do not use the rand() function of the standard library

17.3.1 References

  atof atoi atol  atoll     

            

          

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  141

       rand()     

         

         

      

17.4 Choice between different versions of standard library

functions

                 

        

Warning

             

               



Information

             

      strcpy_s()

      strxx        strnxx

            

RULE

178

RULE — Use the “more secure” versions for standard library functions

            

    

               

  gets()             

   

RULE

179

RULE — Do not use obsolete library functions or those which become ob-

solete in subsequent standards

RULE

180

RULE — Do not use library functions that handle buffers without taking the

buffer size as an argument

142  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

17.4.1 References

            

         

    

          

      

      

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  143

Analysis, evaluation of the code

18.1 Proofreading of the code

                 

              



GOOD

PRACTICE

181

GOOD PRACTICE — All code should be proofread

18.2 Indentation of long expressions

               

               

             

RECO

182

RECOMMENDATION — Indentation of long expressions

            

          

Bad example

              

 

if (( OPT_1 == opt)

|| ((c >= a) && (0xdeafbeef == b)

&& (NULL == p_point )))

{

/* processing */

}

if (0 != a_function_name_really_to_extend_to_be_as_explicit_as_possible (

A_CONSTANT_ALWAYS_WITH_A_VERY_EXPLICIT_NAME ,

A_SECOND_CONSTANT_ALWAYS_WITH_A_NAME_TO_EXTEND , 5, 50))

{

/* processing */

}

144  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Good example

            

if (( OPT_1 == opt)

|| ((c >= a)

&& (0 xdeafbeef == b)

&& (NULL == p_point )

))

{

/* processing */

}

if (0 != a_function_name_really_to_extend_to_be_as_explicit_as_possible (

A_CONSTANT , A_CONSTANT_ALWAYS_WITH_A_VERY_EXPLICIT_NAME ,

A_SECOND_CONSTANT_ALWAYS_WITH_A_NAME_TO_EXTEND ,

50))

{

/* processing */

}

18.3 Identifying and removing any dead or unreachable

code

             

 

Unreachable code

               

           

  return  etc.

Dead code

              

         etc.

                

             

RULE

183

RULE — Identify and remove any dead code

RULE

184

RULE — The code must have no unreachable code other than defensive

code and interface code

            

           

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  145

18.3.1 References

        unreachable 

        

   

      

     

     

18.4 Tool-based evaluation of the source code to limit the

risk of execution errors

           

              

              

               

  

              

                



RECO

185

RECOMMENDATION — Tool-based evaluation of the source code to limit

the risk of execution errors

              

             

          

18.4.1 References

       

18.5 Limiting cyclomatic complexity

Cyclomatic complexity

            

           

146  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

              

              

        

               

           

RECO

186

RECOMMENDATION — Limitation of cyclomatic complexity

            

18.6 Limiting the length of functions

                

            

                  

                   

              

               

   

RECO

187

RECOMMENDATION — Limitation of the length and complexity of a func-

tion

            

        

18.7 Do not use C++ keywords

             

         

         class new private public

delete etc.              

              

             

                  

             

       

RULE

188

RULE — Do not use C++ keywords

             

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  147

Bad example

        new  delete     

new_point  delete_point  

/* point .h */

typedef struct

{

float x;

float y;

} point_t;

point_t *new ();

void delete( point_t *p);

Good example

        

/* point .h */

typedef struct

{

float x;

float y;

} point_t;

point_t *new_point ();

void delete_point(point_t *p);

148  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Miscellaneous

19.1 Comment format

         

/* comments that can be over several lines */

              

// comments on a single line

   /*  //          

\        //      

RULE

189

RULE — Prohibited character sequences in comments

 /*  //            

  //        \

19.1.1 References

               

          

19.2 Implementation of a “canary” mechanism

           

              

   

              

             

                  

     

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  149

RULE

190

RULE — Manually implement a “canary” mechanism when not already sup-

ported by the toolchain

          

                  

                

     

Warning

             

          

       

Good example

  volatile          

      canary  canaryRef       

     canary  canaryRef   

typedef volatile uint32_t fid_t ;

#ifdef ACTIVATE_CANARIES

static inline void verifcanari (fid_t canari , fid_t canariRef) {

uint8_t res = !!( canari != canariRef);

if (0 != res)

{

/* context -specific processing */

}

#else /* ifdef ACTIVATE_CANARIES */

static inline void verifcanari (fid_t canari , fid_t canariRef) { }

#endif /* ifdef ACTIVATE_CANARIES */

void foo( fid_t canari) {

/* checking of the canary parameter at the beginning of the function */

verifcanari (canari , FID_FOO);

/* body of the function ... */

/* checking of the canary parameter at the end of the function */

verifcanari (canari , FID_FOO);

}

19.3 Assertions of development and assertions of integrity

        

n               

                

             

                

      

           assert()   

             

150  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

              

              

   

                 

                   

             

                  

 

RULE

191

RULE — No development assertion on a code in production

       

RECO

192

RECOMMENDATION — Management of integrity assertions should include

emergency data deletion

           

           

19.4 Last line of a non-empty le must end with a line break

                 

     

Warning

          

        

         

RULE

193

RULE — All non-empty les mustend with a line break and thepreprocessor

directives and comments must be closed

              

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  151

Appendix A

Acronyms

    

   

    

   

   

   

     

   

152  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Appendix B

Further information on gcc and Clang

options

              

 

B.1 Denition of the C language standard in use

 -std               

                 

Information

 -ansi     -std=c90      -std=c89

 -std=iso9899:1990

Information

 -std=iso9899:199409         

 

Information

 -std=iso9899:1999    -std=c99

B.2 Additional warnings

       -Wall  -Wextra  -Wpedantic   

        





-Wbad-function-cast

n -Wcast-align

n -Wcast-qual                

      const

                     

        

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  153

-Wconversion           

   

-Wfloat-equal

n -Wnull-dereference

-Wshadow              

      

-Wstack-protector           

-Wstrict-prototypes

-Wswitch-enum        switch     

     case            

-Wmissing-prototypes

-Wundef

-Wvla

      

-Wduplicated-branches

-Wduplicated-cond

-Wformat-signedness

-Wjump-misses-init

-Wlogical-op       

-Wnested-externs       extern     



-Wnormalized          

n -Wold-style-definition

-Wshift-negative-value

-Wshift-overflow=2

-Wstrict-overflow=3            

       

-Wsuggest-attribute=format       format    



-Wsuggest-attribute=malloc       malloc    



n -Wswitch-default    switch       

-Wtraditional-conversion            

            

154  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

-Wtrampolines            



-Wwrite-strings    const         

      const        

                 const

            

  

      

-Warray-bounds-pointer-arithmetic

-Wassign-enum            

            

-Wcast-function-type

-Wcomma

n -Wcovered-switch-default

n -Wduplicate-enum

-Widiomatic-parentheses          

    

-Wloop-analysis

-Wformat-non-iso

-Wformat-pedantic

-Wformat-type-confusion

-Wfour-char-constants

n -Wimplicit-fallthrough

n -Wpointer-arith

-Wpragmas

-Wreserved-identifier

-Wshift-sign-overflow

-Wsigned-enum-bitfield

-Wstatic-in-inline

-Wtautological-constant-in-range-compare

-Wthread-safety

n -Wunreachable-code

n -Wunreachable-code-aggressive

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  155

-Wunused-macros

-Wused-but-marked-unused

-Wvariadic-macros

-Wzero-as-null-pointer-constant

Information

   -Wall    -Wmost   

           

  

B.3 Clang and the -Weverything option

   -Weverything 



  all      

 

 -Weverything            

                 

              

      -Wall -Wextra  -Wmost

156  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

Appendix C

C++ reserved words

                

              

          

    

      

   

   

   

     

   

   

    

    

   

   

 

 

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  157

Appendix D

Operator priority

                

                 

              

   

      

       

           



       

     

 

 

 

  

    

  

 

  

    

     

 

 

          



       

         

     

             

         

  

  

       

   

  

      

  

158  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

       

     

       

 

  

  

     



        

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  159

Appendix E

Example of development conventions

                

               

       

Information

            

              

             

          

    

               

          

E.1 Files encoding

       

     \n     

E.2 Code layout and indentation

E.2.1 Maximum lengths

          

        

          

      

E.2.2 Code indentation

               

          

160  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

           

              



                    

 

         

       

                

                 

              

Good example

...

uint32_t processing_function ( linked_list_t *p_param1 , uint32_t ui32_param2 ,

const unsigned char *s_param3 )

{

uint32_t ui32_result = 0;

element_t *pp_out_param4 = NULL;

if ((NULL == p_param1) || (NULL == s_param3 ))

{

ui32_result = 0;

goto End;

}

ui32_result = function_with_many_params (p_param1 , ui32_param2 , s_param3 ,

pp_out_param4 );

if (1 == ui32_result)

{

...

}

End:

return ui32_result;

}

E.3 Standard types

  stdint.h               

                  

  stdbool.h                

     bool           

      _Bool         

   

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  161

* ISO C Standard: 7.16 Boolean type and values < stdbool.h>

#ifndef _STDBOOL_H

#define _STDBOOL_H

#ifndef __cplusplus

#define bool _Bool

#define true 1

#define false 0

#else // __cplusplus

/* Supporting <stdbool.h> in C++ is a GCC extension . */

#define _Bool bool

#define bool bool

#define false false

#define true true

#endif // __cplusplus

/* Signal that all the definitions are present . */

#define __bool_true_false_are_defined 1

#endif // stdbool .h

E.4 Naming

E.4.1 Language for implementation

              

                 

                



             

      

E.4.2 Naming of source le directories

                  

                

                 

  

             



162  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

  

     

          

         

      etc.

        

 

      

 

E.4.3 Naming of header les and implementation les

                 

                  

                 

   etc.

            utils_linked_list.h

utils_linked_list.c utils_mutex.h utils_mutex.c utils_thread.h utils_thread.c 

E.4.4 Naming of macros

               

               

                 

         

Good example

#define LOG_DEBUG(sMessage) write_log_message(sMessage )

                   

              

Good example

#define UTILS_LINKED_LIST_H

E.4.5 Naming of types

         typedef        

 _t              

              enum 

struct     _tag            

      _tag   _t

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  163

Good example

typedef enum status_tag {

...

} status_t;

typedef signed long sint32_t;

typedef struct linked_list_tag

{

...

} linked_list_t;

E.4.6 Naming of functions

                  

                 

            

Good example

status_t utils_create_linked_list(linked_list_t ** pp_list);

status_t utils_delete_linked_list(linked_list_t *pp_list);

E.4.7 Naming of variables

             

               

   etc.

                

     

   

       

       

       

       

       

       

       

       

     

     

     

     

      

       

     

   

       

164  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

   

         

       

         

E.5 Documentation

E.5.1 Format of tags for documentation

         Doxygen    Doxygen

      @   Doxygen      

               

 Doxygen   

     /*!    */

              

E.5.2 File header title block

                

            

            

 Doxygen @file   @file           

                

@file   

      @file             

           

      Doxygen  

          @addtogroup <label> [title]    

                 

                  

              

 @addtogroup       @{  @}      

        

E.5.3 Documentation of a structure

              

               

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  165

E.5.4 Documentation of an enumeration

             

                

   

E.5.5 Documentation of a global variable

             

               



E.5.6 Documentation of a function

              

        

  

         

               

 

                 

             

        

       

n     

Good example

          

#ifndef UTILS_LINKED_LIST_H

#define UTILS_LINKED_LIST_H

/*!

* @file linked_list .h

* @author DEV 1

* @brief Linked List

* Function declarations for the manipulation of linked list.

* @addtogroup utils Library Utils

* @{

/*!

* @brief Enumeration of status codes

* Status codes to indicate the success or the failure of functions

typedef enum status_tag {

STATUS_SUCCESS = 0, //!< success

166  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

STATUS_GENERIC_ERROR , //!< generic error

STATUS_MEMORY_ERROR , //!< memory allocation error

STATUS_INVALID_PARAM //!< invalid parameter

} status_t;

/*!

* @brief Element of the linked list

typedef struct linked_list_element_tag

{

struct linked_list_element_tag * pNext; //!< next element

struct linked_list_element_tag * pPrevious ; //!< previous element

void* pData ; //!< data of the element

} linked_list_element_t ;

/*!

* @brief Double linked list

* Structure to define a double linked list . The type data of the list is void.

typedef struct linked_list_tag

{

linked_list_element_t *pHead; //!< first element

linked_list_element_t *pTail; //!< last element

} linked_list_t;

/*!

* @brief New linked list

* Creation of a new linked list by allocating the memory for the structure and by

initializing the list.

* The new list is empty.

* @param[out] ppList is the new list

* @return # STATUS_SUCCESS the creation and the initialization are done with

success

* @return # STATUS_INVALID_PARAM if ppList is NULL or

* if (* ppList) != NULL

* @return # STATUS_MEMORY_ERROR fail of the memory allocation

* @pre ppList != NULL and (*ppList) == NULL

* @note the created list has to be deleted

* by calling # utils_delete_linked_list

status_t utils_create_linked_list(linked_list_t **ppList);

/*!

* @brief Deletion of the list

* All the elements of the list are deleted and the used memory is freed.

* @warning The memory used by the data in the list is not freed..

* @param[in , out] ppList the list to delete.

* @return # STATUS_SUCCESS if the deletion of the list is a success

* @return # STATUS_INVALID_PARAM if ppList is NULL

* or if (* ppList ) is NULL

* @pre ppList != NULL and (*ppList) != NULL

* @post (* ppList) == NULL

status_t utils_delete_linked_list(linked_list_t **ppList);

...

/*! @} */

#endif // UTILS_LINKED_LIST_H

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  167

Index

 

 

FAM Flexible Array Member 

VLA variable length array 

bit-eld 

compound literals 

dangling pointer 

debug 

debug  

release 

release  

use-aer-free 

++ 

, 

-- 

?: 

## 

#define 

#pragma 

#undef 

# 

_Bool 

bool 

complex 

const  

errno 

float, double 

for 

goto  

inline 

int 

realloc 

restrict 

sizeof 

static   

switch-case 

typedef  

volatile 

/* 

// 

 

 

 

  

  

  

 

 

 

 

 

   

  

  

   

 

 

 

 

  

  

  

 

 

 

 

 

 

  stringication 

   

 

    

    

    

    

 

  

 



 

 

 

  

 

 

  

 

  

  

  

  

  

  

  

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  169

List of rules, recommendations and good

practices

1          

2             

3             

4           

5           

6              

7            

 

8                

9             

10           

11                

 

12         

13            

   

14            

15         

 

16                  

 

17             

 

18        

19           

20    static inline      

21              

22          do {  } while(0)  

  

23               

24            

 

25            

26           

27    #undef      

28       

29          

170  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

30       

31            

32          

33              

 

34         

35        

36           

37               

 

38            

39             

40            

41           

 

42        

43      

44      

45       

46    relro    

47      lazy binding 

48       

49          release  

50       debug  release   

  

51            

  

52             

53             

   

54        

55               

56        

57             

#define



  

58             

const 

59               

60                

  

61      

62           

63      static    

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  171

64              

volatile 

65    volatile    volatile  

66            

67       compound literals 

68             

69        

70            

71           

72            

           

73        

74            

75              

         

76       

77               

78    signed char  unsigned char       

 

79        

80           

81          

82             

83                  

             

84              

85       

86           

87         

88                 

89    NULL      

90         NULL   

91       restrict   

92             

 

93            -> 

94           

95      void*    

96        

97             

98              

99               

172  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

100                    

101           

102             

 

103       

104       

105           

106           

107           

108             

 

109               

 

110          

111             

112           

113        

114         

115            

116              

117             

118         

119           

120        

121          

122       

123             

 

124        

125              

126        

127           

128          switch 

129     break     switch  

130          switch-case 

131             switch-case 

132      for  

133         for         

134       goto 

135       goto 

136            

137               

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  173

138              

  

139      

140         

141                

142               

    const 

143   inline      static 

144                

145             

146       void   

147            

148             

149            

150         NULL    

151           

152      ++  --     

153            

154          

155          ?: 

156            ?: 

157            

158          

159            

160          

161          realloc 

162       sizeof  

163            

164        

165         errno        

      

166             

167      

168       

169                

170              

 

171       abort()  _Exit()  

172      exit() 

173       setjmp()  longjump()  

174       setjmp.h  stdarg.h   

174  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

175           

 

176        atoi(), atol(), atof()  atoll()   

stdlib.h 

177       rand()      

178             

179               

  

180                

  

181         

182       

183         

184               

 

185              

  

186       

187            

188        

189        

190              

 

191           

192         

  

193                

    

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  175

Bibliography

 IEEE Standard for Floating-Point Arithmetic

 

 ISO/IEC 9899:1990, Programming Languages - C

    

 ISO/IEC 9899:1999, Programming Languages - C

    

 SEI CERT C Coding Standard

   

 CLANG’S Documentation

  

 CWE Common Weakness Enumeration

  

 Licence ouverte / Open Licence v2.0

     

https://www.etalab.gouv.fr/licence-ouverte-open-licence

 GCC: Reference Documentation

  

 ISO/IEC TS 17961 Information Technology - Programming languages, their envrionments

and system soware interfaces - C Secure Coding Rules

   

 MISRA-C:2012 Guidelines for the use of the C language in critical systems

 

176  RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT

RULES FOR SECURE C LANGUAGE SOFTWARE DEVELOPMENT  177

Version 1.4 - 24/03/2022 - ANSSI-PA-073

Licence ouverte / Open Licence (Étalab - v2.0)

AGENCE NATIONALE DE LA SÉCURITÉ DES SYSTÈMES D'INFORMATION

ANSSI - 51, boulevard de La Tour-Maubourg, 75700 PARIS 07 SP