SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 93

changes.mady.by.user vishal patel

Saved on

compared with

New Version 94

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot (vkp)

...

Wiki Markup
An attacker who can fully or partially control the contents of a format string can crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location and consequently execute arbitrary code with the permissions of the vulnerable process \[[Seacord 05a|AA. References#SeacordBibliography#Seacord 05]\].

Formatted output functions are particularly dangerous because many programmers are unaware of their capabilities (for example, they can write an integer value to a specified address using the %n conversion specifier).

...

Wiki Markup
This noncompliant code example shows the {{incorrect_password()}} function, which is called during identification and authentication if the specified user is not found, or the password is incorrect, to display an error message. The function accepts the name of the user as a null-terminated byte string referenced by {{user}}.  This is an excellent example of data that originates from an untrusted, unauthenticated user.  The function constructs an error message which is then output to {{stderr}} using the C99 standard {{fprintf()}} function  \[[ISO/IEC 9899:1999|AA. References#ISOBibliography#ISO/IEC 9899-1999]\].

Code Block
bgColor#FFCCCC
void incorrect_password(const char *user) {
  int ret;
  /* user names are restricted to 256 characters or less */
  static const char msg_format[] = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *)malloc(len);
  if (msg == NULL) {
    /* Handle error */
  }
  ret = snprintf(msg, len, msg_format, user);
  if (ret < 0) /* Handle error */ ;
  else if (ret >= len) /* Handle truncated output */ ;

  fprintf(stderr, msg);
  free(msg);
}

...

Wiki Markup
This noncompliant code example is exactly the same as the first noncompliant code example but uses the POSIX function {{syslog()}} \[[Open Group 04|AA. References#OpenBibliography#Open Group 04]\] instead of the {{fprintf()}} function, which is also susceptible to format-string vulnerabilities.

...

Wiki Markup
\[[ISO/IEC 9899:1999|AA. References#ISOBibliography#ISO/IEC 9899-1999]\] Section 7.19.6, "Formatted input/output functions"
\[[ISO/IEC PDTR 24772|AA. References#ISOBibliography#ISO/IEC PDTR 24772]\] "RST Injection"
\[[MITRE 07|AA. References#MITREBibliography#MITRE 07]\] [CWE ID 134|http://cwe.mitre.org/data/definitions/134.html], "Uncontrolled Format String"
\[[Open Group 04|AA. References#OpenBibliography#Open Group 04]\] [{{syslog()}}|http://www.opengroup.org/onlinepubs/009695399/toc.htm]
\[[Seacord 05|AA. References#SeacordBibliography#Seacord 05]\] Chapter 6, "Formatted Output"
\[[Viega 05|AA. References#ViegaBibliography#Viega 05]\] Section 5.2.23, "Format string problem"

...