...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Mitigation Strategies
Static Analysis
Since the nature of this issue and the solution recommended by this rule is local, simple static analysis should be effective at assuring compliance with this rule. A simple search should be able to find calls to fgets() and local analysis should be effective at finding the code that applies when a NULL is returned as well as determining if the returned string is reset.
This rule also lends itself to inclusion in a global rules set that can be shipped with a static analysis tool.
Dynamic Analysis
It may be possible to assure compliance with this rule with some run-time mechanism. However, it seems unlikely that dynamic analysis would be chosen over the straight forward static analysis considering the well known disadvantages of dynamic analysis (performance, hard to confirm that all cases are covered, etc.).
Manual inspection
Manual inspection (especially if assisted by tooling to locate all calls to fgets()) could be effective and relatively efficient.
Testing
Due to the low level of this rule (all calls to fgets()), it seems unlikely that testing would be used to provide assurance of a codebase's compliance.
References
| Wiki Markup |
|---|
\[[ISO/IEC 9899-1999:TC2|AA. C References#ISO/IEC 9899-1999TC2]\] Section 7.19.7.2, "The {{fgets}} function" |