ISO/IEC TS 17961:2013

TECHNICAL ISO/IEC
SPECIFICATION TS
First edition
2013-11-15
Information technology —
Programming languages, their
environments and system software
interfaces — C secure coding rules
Technologies de l’information — Langages de programmation, leur
environnement et interfaces des logiciels de systèmes — Règles de
programmation sécurisée en C
Reference number
©
ISO/IEC 2013
© ISO/IEC 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2013 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Conformance . 1
2.1 Portability assumptions . 2
3 Normative references . 2
4 Terms and definitions . 2
5 Rules . 5
5.1 Accessing an object through a pointer to an incompatible type  [ptrcomp] . 5
5.2 Accessing freed memory  [accfree] . 6
5.3 Accessing shared objects in signal handlers  [accsig] . 7
5.4 No assignment in conditional expressions  [boolasgn] . 8
5.5 Calling functions in the C Standard Library other than abort, _Exit, and signal
from within a signal handler  [asyncsig] . 9
5.6 Calling functions with incorrect arguments  [argcomp] .11
5.7 Calling signal from interruptible signal handlers  [sigcall] .12
5.8 Calling system  [syscall] .13
5.9 Comparison of padding data  [padcomp] .14
5.10 Converting a pointer to integer or integer to pointer  [intptrconv] .14
5.11 Converting pointer values to more strictly aligned pointer types  [alignconv] .15
5.12 Copying a FILE object  [filecpy] .16
5.13 Declaring the same function or object in incompatible ways  [funcdecl] .16
5.14 Dereferencing an out-of-domain pointer  [nullref] .18
5.15 Escaping of the address of an automatic object  [addrescape] .18
5.16 Conversion of signed characters to wider integer types before a check for
EOF  [signconv] .19
5.17 Use of an implied default in a switch statement  [swtchdflt] .19
5.18 Failing to close files or free dynamic memory when they are no longer needed
[fileclose] .20
5.19 Failing to detect and handle standard library errors  [liberr] .20
5.20 Forming invalid pointers by library function  [libptr] .26
5.21 Allocating insufficient memory  [insufmem].28
5.22 Forming or using out-of-bounds pointers or array subscripts  [invptr] .29
5.23 Freeing memory multiple times  [dblfree] .34
5.24 Including tainted or out-of-domain input in a format string  [usrfmt].35
5.25 Incorrectly setting and using errno  [inverrno] .37
5.26 Integer division errors  [diverr] .39
5.27 Interleaving stream inputs and outputs without a flush or positioning call  [ioileave] .40
5.28 Modifying string literals  [strmod] .41
5.29 Modifying the string returned by getenv, localeconv, setlocale, and
strerror  [libmod] .42
5.30 Overflowing signed integers  [intoflow] .43
5.31 Passing a non-null-terminated character sequence to a library function that expects
a string  [nonnullcs] .44
5.32 Passing arguments to character-handling functions that are not representable as
unsigned char  [chrsgnext] .45
5.33 Passing pointers into the same object as arguments to different restrict-qualified
parameters  [restrict] .46
5.34 Reallocating or freeing memory that was not dynamically allocated  [xfree] .47
5.35 Referencing uninitialized memory  [uninitref] .48
5.36 Subtracting or comparing two pointers that do not refer to the same array  [ptrobj] .49
5.37 Tainted strings are passed to a string copying function  [taintstrcpy] .50
© ISO/IEC 2013 – All rights reserved iii

5.38 Taking the size of a pointer to determine the size of the pointed-to type  [sizeofptr] .50
5.39 Using a tainted value as an argument to an unprototyped function
pointer  [taintnoproto] .51
5.40 Using a tainted value to write to an object using a formatted input or output
function  [taintformatio] .52
5.41 Using a value for fsetpos other than a value returned from fgetpos  [xfilepos] .52
5.42 Using an object overwritten by getenv, localeconv, setlocale, and
strerror  [libuse] .53
5.43 Using character values that are indistinguishable from EOF  [chreof] .54
5.44 Using identifiers that are reserved for the implementation  [resident] .55
5.45 Using invalid format strings  [invfmtstr] .57
5.46 Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted
sink  [taintsink] .58
Annex A (informative) Intra- to Interprocedural Transformations .59
Annex B (informative) Undefined Behavior .63
Annex C (informative) Related Guidelines and References .71
Annex D (informative) Decidability of Rules .77
Bibliography .78
iv © ISO/IEC 2013 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
In other circumstances, particularly when there is an urgent market requirement for such documents,
the joint technical committee may decide to publish an ISO/IEC Technical Specification (ISO/IEC TS),
which represents an agreement between the members of the joint technical committee and is accepted
for publication if it is approved by 2/3 of the members of the committee casting a vote.
An ISO/IEC TS is reviewed after three years in order to decide whether it will be confirmed for a further
three years, revised to become an International Standard, or withdrawn. If the ISO/IEC TS is confirmed,
it is reviewed again after a further three years, at which time it must either be transformed into an
International Standard or be withdrawn.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TS 17961 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 22, Programming languages, their environments and system software interfaces.
© ISO/IEC 2013 – All rights reserved v

Introduction
Background
An essential element of secure coding in the C programming language is a set of well-documented and
enforceable coding rules. The rules specified in this Technical Specification apply to analyzers, including
static analysis tools and C language compiler vendors that wish to diagnose insecure code beyond the
requirements of the language standard. All rules are meant to be enforceable by static analys
...