SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 127

changes.mady.by.user John Benito

Saved on

compared with

New Version 128

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: minor edits; reviewed

Never call a formatted I/O function with a format string containing user input.a tainted value An attacker who can fully or partially control the contents of a format string can crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location. Consequently, the attacker can execute arbitrary code with the permissions of the vulnerable process [Seacord 2013].

...

This noncompliant code example shows the incorrect_password() function, which is called during identification and authentication to display an error message if the specified user is not found or the password is incorrect. The function accepts the name of the user as a string referenced by user. This is an excellent example of untrusted data that originates from an untrusted, unauthenticated user. The function constructs an error message that is then output to stderr using the C Standard fprintf() function.

...

This compliant solution fixes the problem by replacing the fprintf() call with a call to fputs(), which does not treat msg like a format string but outputs it to stderr as isoutputs msg directly to stderr without evaluating its contents:

Code Block
bgColor#ccccff
langc
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
void incorrect_password(const char *user) {
  int ret;
  /* User names are restricted to 256 or fewer characters */
  static const char msg_format[] = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *)malloc(len);
  if (msg == NULL) {
    /* Handle error */
  }
  ret = snprintf(msg, len, msg_format, user);
  if (ret < 0) { 
    /* Handle error */ 
  } else if (ret >= len) { 
    /* Handle truncated output */ 
  }
  if (fputs(msg, stderr) == EOF) {
    /* Handle error */
  }
  free(msg);
}

Compliant Solution (fprintf())

This simpler compliant solution passes the untrusted user input as one of the variadic arguments to fprintf() and not as part of the format string, eliminating the possibility of a format-string vulnerability:

...

This noncompliant code example is exactly similar to the same as the first noncompliant code example but uses the POSIX function syslog() [IEEE Std 1003.1:2013] instead of the fprintf() function. The syslog() function is also susceptible to format-string vulnerabilities:

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO30-C

High

Likely

Medium

P18

L1

Two recent examples of format-string vulnerabilities resulting from a violation of this rule include Ettercap and Samba.

...