SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 38

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 39

changes.mady.by.user Arthur Hicken

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: update parasoft

...

The following table shows a list of C standard library functions that provide limited or no error checking and reporting along with preferable alternatives:

Function

Preferable
Alternative

Comments

atof

strtod

No error indication, undefined behavior on error

atoi

strtol

No error indication, undefined behavior on error

atol

strtol

No error indication, undefined behavior on error

atoll

strtoll

No error indication, undefined behavior on error

rewind

fseek

No error indication, silent failure on error

setbuf

setvbuf

No error indication, silent failure on error

ctimeasctime/localtime 

Undefined behavior if localtime fails 

Noncompliant Code Example (atoi())

...

The atoi(), atol(), and atoll() functions convert the initial portion of a string token to int, long int, and long long int representation respectively. Except for the behavior on error, they are equivalent as follows:

Call

Equivalent on Success

atoi(nptr)

(int)strtol(nptr, (char **)NULL, 10)

atol(nptr)

strtol(nptr, (char **)NULL, 10)

atoll(nptr)

strtoll(nptr, (char **)NULL, 10)

Unfortunately, atoi() and related functions lack a mechanism for reporting errors for invalid values. Specifically, the atoi(), atol(), and atoll() functions

...

Although it is rare for a violation of this rule to result in a security vulnerability, it can easily result in lost or misinterpreted data.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ERR07-C

Medium

Probable

Medium

P8

L2

Automated Detection

This rule in general cannot be detected, although various examples can be detected by simply scanning for functions that have equivalent functions with better error handling.

Tool

Version

Checker

Description

LDRA tool suite
Include Page
LDRA_V
LDRA_V

44 S, 593 S, 594 S

Partially implemented
Parasoft C/C++test
Include Page
c:
Parasoft_V
c:
Parasoft_V
MISRA2012
MISRA2004-
RULE-21
20_
7
10Partially implemented, detects ato* functions

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

MITRE CWECWE-20, Improper Input Validation
CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-91, XML Injection (aka Blind XPath Injection)
CWE-94, Improper Control of Generation of Code ('Code Injection')
CWE-114, Process Control
CWE-601, URL Redirection to Untrusted Site ('Open Redirect')
CWE-676, Use of potentially dangerous function

Bibliography

[Klein 2002]"Bullet Proof Integer Input Using strtol()"

...


...