SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 52

changes.mady.by.user Alex Volkovitsky

Saved on

compared with

New Version 53

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider (sch jbop) (X_X)@==(Q_Q)@

...

Wiki Markup
This non-compliant code example illustrates the {{incorrect_password()}} function, which is called during identification and authentication if the specified user is not found, or the password is incorrect, to display an error message. The function accepts the name of the user as a nullNULL-terminated byte string referenced by {{user}}.  This is an excellent example of data that originates from an untrusted, unauthenticated user.  The function constructs an error message which is then output to {{stderr}} using the C99 \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] standard {{fprintf()}} function.

Code Block
bgColor#FFCCCC
void incorrect_password(char const char *user) {
  /* user names are restricted to 256 characters or less */
  static char const char* msg_format = "%s could not be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *) malloc(len);
  if (!msg) {
    /* handle error condition */
  }
  snprintf(msg, len, msg_format, user);
  fprintf(stderr, msg);
  free(msg);
  msg = NULL;
}

The incorrect_password() function constructs msg in dynamically allocated memory by first calculating the size of the message, allocating dynamic storage, and then constructing the message in the allocated memory using the snprintf() function. The addition operations are not checked for integer overflow because the length of the string referenced by user is known to be have a length of 256 or less. Because the %s characters are replaced by the string referenced by user in the call to snprintf(), one less byte is required to store the resulting string and terminating nullNULL-byte character. This is a common idiom for displaying the same message in multiple locations or when the message is difficult to build. The resulting code contains a format-string vulnerability, however, because the msg includes untrusted user input and is passed as the format-string argument in the call to fprintf().

...

Code Block
bgColor#ccccff
void incorrect_password(char const char *user) {
  /* user names are restricted to 256 characters or less */
  static char const char* msg_format = "%s could not be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *) malloc(len);
  if (!msg) {
    /* handle error condition */
  }
  snprintf(msg, len, msg_format, user);
  fputs(msg, stderr)
  free(msg);
  msg = NULL;
}

...

Code Block
bgColor#ccccff
void incorrect_password(char const char *user) {
  fprintf(stderr, "%s could not be authenticated.\n", user);
}

...

Code Block
bgColor#FFCCCC
void incorrect_password(char const char *user) {
  /* user names are restricted to 256 characters or less */
  static char const char* msg_format = "%s could not be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *) malloc(len);
  if (!msg) {
    /* handle error condition */
  }
  snprintf(msg, len, msg_format, user);
  syslog(LOG_INFO, msg);
  free(msg);
  msg = NULL;
}

...

Code Block
bgColor#ccccff
void incorrect_password(char const char *user) {
  syslog(LOG_INFO, "%s could not be authenticated.", user);
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO30-C

3 ( high ) 3 (

likely )

3 ( low )

P27

L1

Wiki Markup
Two recent examples of format-string vulnerabilities resulting from a violation of this rule include [Ettercap|http://ettercap.sourceforge.net/history.php] and [Samba|http://samba.org/samba/security/CVE-2007-0454.html]. In Ettercap v.NG-0.7.2, the ncurses user interface suffers from a format string defect. The {{curses_msg()}} function in {{ec_curses.c}} calls {{wdg_scroll_print()}}, which takes a format string and its parameters and passes it to {{vw_printw()}}. The {{curses_msg()}} function uses one of its parameters as the format string. This input can include user data, allowing for a format string vulnerability \[[VU#286468|AA. C References#VU286468]\]. The Samba AFS ACL mapping VFS plug-in fails to properly sanitize user-controlled filenames that are used in a format specifier supplied to {{snprintf()}}. This [security flaw|BB. Definitions#security flaw] becomes exploitable when a user is able to write to a share that uses Samba's {{afsacl.so}} library for setting Windows NT access control lists on files residing on an AFS file system.

...