SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 85

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 86

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this noncompliant code example, the user can specify a locked device or a FIFO (first-in, first-out) file name, causing the program to hang on the call to fopen().:

Code Block
bgColor#ffcccc
langc
char *file_name;
FILE *file;

/* Initialize file_name */

if (!fgets(file_name, sizeof(file_name), stdin)) {
  /* Handle error */
}

if ((file = fopen(file_name, "wb")) == NULL) {
  /* Handle error */
}

/* Operate on file */

fclose(file);

...

The GetFileType() function can be used to determine if the file is a disk file.:

Code Block
bgColor#ccccff
langc
HANDLE hFile = CreateFile(
  pFullPathName, 0, 0, NULL, OPEN_EXISTING, 0, NULL
);
if (hFile == INVALID_HANDLE_VALUE) {
  /* Handle error */
}
else {
  if (GetFileType(hFile) != FILE_TYPE_DISK) {
    /* Handle error */
  }
  /* Operate on file */
}

...

Tool

Version

Checker

Description

Compass/ROSE

 

 

Could detect some violations of this rule. This rule applies only to untrusted file name strings, and ROSE cannot tell which strings are trusted and which are not. The best heuristic is to note if there is any verification of the file name before or after the fopen() call. If there is any verification, then the file opening should be preceded by an lstat() call and succeeded by an fstat() call. Although that does not enforce the rule completely, it does indicate that the coder is aware of the lstat-fopen-fstat idiom.

Fortify SCA

5.0

 

 

Related Vulnerabilities

...

[Garfinkel 1996]Section 5.6, "Device Files"
[Howard 2002]Chapter 11, "Canonical Representation Issues"
[Open Group 2004]open()

 

...