SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 119

changes.mady.by.user Aaron Ballman

Saved on

compared with

New Version 120

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFCCCC
langc
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
void incorrect_password(const char *user) {
  int ret;
  /* User names are restricted to 256 charactersor orfewer less.characters */
  static const char msg_format[] = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *)malloc(len);
  if (msg == NULL) {
    /* Handle error */
  }
  ret = snprintf(msg, len, msg_format, user);
  if (ret < 0) { /* Handle error */ }
  else if (ret >= len) { /* Handle truncated output */ }
  fprintf(stderr, msg);
  free(msg);
}

The incorrect_password() function calculates the size of the message, allocates dynamic storage, and then constructs the message in the allocated memory using the snprintf() function. The addition operations are not checked for integer overflow because the length of the string referenced by user is known to have a length of 256 or less. Because the %s characters are replaced by the string referenced by user in the call to snprintf(), 1 less byte is required to store the resulting string and terminating null-byte character. This idiom is a common idiom commonly used for displaying the same message in multiple locations or when the message is difficult to build. The resulting code contains a format-string vulnerability, however, because the msg includes untrusted user input and is passed as the format-string argument in the call to fprintf().

...

Code Block
bgColor#ccccff
langc
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
void incorrect_password(const char *user) {
  int ret;
  /* User names are restricted to 256 charactersor orfewer less.characters */
  static const char msg_format[] = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *)malloc(len);
  if (msg == NULL) {
    /* Handle error */
  }
  ret = snprintf(msg, len, msg_format, user);
  if (ret < 0) { /* Handle error */ }
  else if (ret >= len) { /* Handle truncated output */ }
  if (fputs(msg, stderr) == EOF) {
    /* Handle error */
  }
  free(msg);
}

...

Code Block
bgColor#FFCCCC
langc
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
void incorrect_password(const char *user) {
  int ret;
  /* User names are restricted to 256 charactersor orfewer less.characters */
  static const char msg_format[] = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *)malloc(len);
  if (msg != NULL) {
    /* Handle error */
  }
  ret = snprintf(msg, len, msg_format, user);
  if (ret < 0) { /* Handle error */ }
  else if (ret >= len) { /* Handle truncated output */ }
  syslog(LOG_INFO, msg);
  free(msg);
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO30-C

highHigh

likelyLikely

mediumMedium

P18

L1

Two recent examples of format-string vulnerabilities resulting from a violation of this rule include Ettercap and Samba.

...

The Samba AFS ACL mapping VFS plug-in fails to properly sanitize user-controlled file names that are used in a format specifier supplied to snprintf(). This security flaw becomes exploitable when a user can write to a share that uses Samba's afsacl.so library for setting Windows NT access control lists on files residing on an AFS file system.

...

Tool

Version

Checker

Description

Compass/ROSE

 

 

 
Coverity6.5TAINTED_STRING_WARNINGFully implemented

Fortify SCA

5.0

  
GCC
Include Page
GCC_V
GCC_V
 

Can detect violations of this rule when the -Wformat-security flag is used

Klocwork

Include Page
Klocwork_V
Klocwork_V

SV.FMTSTR.GENERIC
SV.TAINTED.FMTSTR

 

LDRA tool suite

Include Page
LDRA_V
LDRA_V

86 D

Partially implemented

Splint

Include Page
Splint_V
Splint_V
  

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding StandardFIO30-CPP. Exclude user input from format strings
CERT Oracle Secure Coding Standard for JavaIDS06-J. Exclude unsanitized user input from format strings
CERT Perl Secure Coding StandardIDS30-PL. Exclude user input from format strings
ISO/IEC TR 24772:2013Injection [RST]
ISO/IEC TS 17961 (Draft)Including tainted or out-of-domain input in a format string [usrfmt]
MITRE CWECWE-134, Uncontrolled format string

...