SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 47

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 48

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Errors can occur when assumptions are made about the type of data being read. These assumptions may be violated, for example, when binary data has been read from a file instead of text from a user's terminal. (see See recommendation FIO14-C. Understand the difference between text mode and binary mode with file streams.) . On some systems, it may also be possible to input a null byte (as well as other binary codes) from the keyboard.

C99, section Section 7.19.7.2, "The fgets() function", paragraph 3 says:

The fgets function returns s if successful. If end-of-file is encountered and no
characters have been read into the array, the contents of the array remain unchanged and a
null pointer is returned.

Therefore, if fgets() returns a non-null pointer, we can assume it actually filled the array with data. However, assuming that it filled the array with a non-empty null-terminated byte string (NTBS) is erroneous , because the data it placed in the array may contain null characters.

...

Wiki Markup
The {{strlen()}} function computes the length of a string by determining the number of characters that precede the terminating null character.  A problem occurs if the first character read from the input by {{fgets()}} happens to be a null character.  This may occur, for example, if a binary data file is read by the {{fgets()}} call \[[Lai 062006|AA. Bibliography#Lai 06]\]. If the first character in {{buf}} is a null character, {{strlen(buf)}} returns 0 and a write-outside-array-bounds error occurs.

...

This compliant solution uses strchr() to replace the new-line character in the string, if it exists. (see See rue FIO36-C. Do not assume a new-line character is read when using fgets().).

Code Block
bgColor#ccccff
char buf[BUFSIZ + 1];
char *p;

if (fgets(buf, sizeof(buf), stdin)) {
  p = strchr(buf, '\n');
  if (p) {
    *p = '\0';
  }
}
else {
  /* Handle error condition */
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO37-C

high

probable

medium

P12

L1

Automated Detection

Tool

Version

Checker

Description

Section

Fortify SCA

...

Section

V. 5.0

...

 

 

Section

Compass/ROSE

 

 

Section

could detect some violations of this rule. In particular, it could detect the NCCE by searching for fgets(), followed by "strlen() - 1", which could be -1. The crux of this rule is that a string returned by fgets() could still be empty, because the first char is '\0'. There are probably other code examples that violate this guideline; we would need to enumerate them before ROSE could detect them

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

CERT This rule appears in the C++ Secure Coding Standard as : FIO37-CPP. Do not assume character data has been read.

Bibliography

unmigrated-wiki-markup

\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.19.7.2, "The {{ fgets function"

MITRE CWE: CWE-119, "Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer"

MITRE CWE: CWE-241, "Failure to Handle Wrong Data Type"

Bibliography

Wiki Markup
\[[Lai 2006|AA. Bibliography#Lai 06]\]}} function"
\[[Lai 06|AA. Bibliography#Lai 06]\]
\[[MITRE 07|AA. Bibliography#MITRE 07]\] [CWE ID 119|http://cwe.mitre.org/data/definitions/119.html], "Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer," [CWE ID 241|http://cwe.mitre.org/data/definitions/241.html], and "Failure to Handle Wrong Data Type"
\[[Seacord 05a2005a|AA. Bibliography#Seacord 05]\] Chapter 2, "Strings"

...