SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 15

changes.mady.by.user Alex Volkovitsky

Saved on

compared with

New Version 16

changes.mady.by.user Pamela Curtis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
Performing operations on device files which are intended for ordinary character or binary files can result in crashes and denial-of-service attacks.  For example, when Windows attempts to interpret the device name as a file resource, it performs an invalid resource access that usually results in a crash \[[Howard 02|AA. C References#Howard 02]\] .

Non-Compliant Code Example

Code Block
bgColor#ffcccc
if(!fgets(filename, sizeof(filename), stdio)) {
    /* handle error */
}

if(!open(filename, O_WRONLY, 0600)) {
    /* handle error */
}
/* if filename is a fifo or a locked device the program may now hang in the open call */

Compliant Solution (POSIX)

Wiki Markup
Device files in UNIX can be a major security hazard when an attacker is able to access them in an unauthorized way. For instance, if attackers can read or write to the {{/dev/kmem}} device, they may be able to alter their priority, UID, or other attributes of their process or simply crash the system. Similarly, access to disk devices, tape devices, network devices, and terminals being used by others all can lead to problems \[[Garfinkel 96|AA. C References#Garfinkel 96]\].

...

Code Block
bgColor#ccccff
struct stat pre_s;
struct stat post_s;
int fildes;

if(!fgets(filename, sizeof(filename), stdio)) {
    /* handle error */
}

if((stat(filename, &pre_s) != 0) || (!S_ISREG(s.st_mode))) {
    /* handle error */
}

/* due to a race condition here, we will verify with fstat later */

if(!(fildes = open(filename, O_WRONLY, 0600))) {
    /* handle error */
}

if(!fstat(fildes, &post_s) {
    /* handle error */
}

if(!(pre_s.st_mode == post_s.st_mode &&
     pre_s.st_ino  == post_s.st_ino  &&
     pre_s.st_dev  == post_s.st_dev)) {
    /* handle error */
}

/* operate on file */

Compliant Solution (Windows)

In the compliant solution, the log file is only opened once upon program startup, and is closed upon program termination. The log_message() function only writes the message to the already opened file.

Code Block
bgColor#ccccff
HANDLE hFile = CreateFile(pFullPathName,
  0, 0, NULL, OPEN_EXISTING, 0, NULL
);
if (hFile == INVALID_HANDLE_VALUE) {
  /* handle error */
}
if (GetFileType(hFile) != FILE_TYPE_DISK) {
  /* handle error */
}

Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO46-C

2 (medium)

1 (unlikely)

2 (medium)

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Garfinkel 96|AA. C References#Garfinkel 96]\] Section 5.6, "Device Files"
\[[Howard 02|AA. C References#Howard 02]\] Chapter 11, "Canonical Representation Issues"
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section

...

FIO45FIO31-C. Do not reopen a file streamsimultaneously open the same file multiple times      09. Input Output (FIO)       10. Temporary Files (TMP) FIO33-C. Detect and handle input output errors resulting in undefined behavior