SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 78

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 79

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Use the strtol() function to convert to a smaller , signed integer types type such as signed int, signed short, and signed char, testing the result against the range limits for that type.

...

Code Block
bgColor#FFcccc
langc

int si;

if (argc > 1) {
  si = atoi(argv[1]);
}

The atoi(), atol(), and atoll() functions convert the initial portion of a string token to int, long int, and long long int representation, respectively. Except for the behavior on error, they are equivalent to

Code Block

atoi: (int)strtol(nptr, (char **)NULL, 10)
atol: strtol(nptr, (char **)NULL, 10)
atoll: strtoll(nptr, (char **)NULL, 10)

...

  • do not need to set errno on an error.
  • have undefined behavior if the value of the result cannot be represented.
  • return 0 if the string does not represent an integer, which is indistinguishable from a correctly formatted, zero-denoting input string.

...

Code Block
bgColor#FFcccc
langc

int matches; 
int si;

if (argc > 1) {
  matches = sscanf(argv[1], "%d", &si);
  if (matches != 1) {
    /* Handle error */
  }
}

The sscanf() function does return returns the number of input items successfully matched and assigned, which can be fewer than provided for, or even zero in the event of an early matching failure. However, sscanf() fails to report the other errors reported by strtol(), such as overflow.

...

Code Block
bgColor#ccccff
langc

int main(int argc, char *argv[]) {

  if (argc < 2)
    return EXIT_SUCCESS;

  const char* const str = argv[1];
  char *end;
  int si;

  errno = 0;

  const long sl = strtol(str, &end, 10);

  if (end == str) {
    fprintf(stderr, "%s: not a decimal number\n", str);
  }
  else if ('\0' != *end) {
    fprintf(stderr, "%s: extra characters at end of input: %s\n", str, end);
  }
  else if ((LONG_MIN == sl || LONG_MAX == sl) && ERANGE == errno) {
    fprintf(stderr, "%s out of range of type long\n", str);
  }
  else if (sl > INT_MAX) {
    fprintf(stderr, "%ld greater than INT_MAX\n", sl);
  }
  else if (sl < INT_MIN) {
     fprintf(stderr, "%ld less than INT_MIN\n", sl);
  }
  else {
    si = (int)sl;

    /* process si */

    return EXIT_SUCCESS;
  }
  return EXIT_FAILURE;
}

Risk Assessment

While it Although it is rare for a violation of this recommendation to result in a security vulnerability, it can easily result in lost or misinterpreted data.

...

section

V. 5.0

can

Can detect violations of this recommendation with the CERT C Rule Pack.

Compass/ROSE

can detect violations of this recommendation by flagging invocations of the following functions:

    • atoi()
    • scanf(), fscanf(), sscanf()
    • others?

LDRA tool suite

Fully

Implemented

implemented.

Tool

Version

Checker

Description

Fortify SCA

Section

 

Section
Section

 

 

Section
Section
Include Page
LDRA_V
LDRA_V
section

44 S

Section

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

MITRE CWE: CWE-676, "Use of Potentially Dangerous Functionpotentially dangerous function," and CWE-20, "Insufficient Input Validationinput validation"

Bibliography

[ISO/IEC 9899:19992011] Section 7.2022.1.4, "The strtol, strtoll, strtoul, and strtoull functions," Section 7.2022.1.2, "The atoi, atol, and atoll functions," and Section 7.1921.6.7, "The sscanf function"
[Klein 2002]

...