SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 103

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 104

changes.mady.by.user Astha Singhal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Never call any formatted I/O function with a format string containing user input.

Wiki MarkupAn attacker who can fully or partially control the contents of a format string can crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location, and, consequently, execute arbitrary code with the permissions of the vulnerable process \[ [Seacord 2005a|AA. Bibliography#Seacord 05]\].

Formatted output functions are particularly dangerous because many programmers are unaware of their capabilities. (For example, they can write an integer value to a specified address using the %n conversion specifier.)

Noncompliant Code Example

Wiki MarkupThis noncompliant code example shows the {{incorrect_password()}} function, which is called during identification and authentication if the specified user is not found, or the password is incorrect, to display an error message. The function accepts the name of the user as a null-terminated byte string referenced by {{user}}. This is an excellent example of data that originates from an untrusted, unauthenticated user. The function constructs an error message which is then output to {{stderr}} using the C99 standard {{fprintf()}} function \ [[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\].

Code Block
bgColor#FFCCCC
langc
void incorrect_password(const char *user) {
  int ret;
  /* user names are restricted to 256 characters or less */
  static const char msg_format[] = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *)malloc(len);
  if (msg == NULL) {
    /* Handle error */
  }
  ret = snprintf(msg, len, msg_format, user);
  if (ret < 0) /* Handle error */ ;
  else if (ret >= len) /* Handle truncated output */ ;

  fprintf(stderr, msg);
  free(msg);
}

...

Noncompliant Code Example (POSIX)

Wiki MarkupThis noncompliant code example is exactly the same as the first noncompliant code example but uses the POSIX function {{syslog()}} \[ [Open Group 2004|AA. Bibliography#Open Group 04]\] instead of the {{fprintf()}} function, which is also susceptible to format-string vulnerabilities.

Code Block
bgColor#FFCCCC
langc
void incorrect_password(const char *user) {
  int ret;
  /* user names are restricted to 256 characters or less */
  static const char msg_format[] = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *)malloc(len);
  if (msg != NULL) {
    /* Handle error */
  }
  ret = snprintf(msg, len, msg_format, user);
  if (ret < 0) /* Handle error */ ;
  else if (ret >= len) /* Handle truncated output */ ;

  syslog(LOG_INFO, msg);
  free(msg);
}

...

Tool

Version

Checker

Description

Section

Fortify SCA

Section

V. 5.0

 

 

Section

Splint

Include Page
c:Splint_Vc:
Splint_V

 

 

Section

GCC

Include Page
c:GCC_Vc:
GCC_V

 

Section

can detect violations of this rule when the -Wformat-security flag is used

Section

Compass/ROSE

 

 

 

Section

Klocwork

Include Page
c:Klocwork_Vc:
Klocwork_V
Section

SV.FMTSTR.GENERIC
SV.TAINTED.FMTSTR

 

Section

LDRA tool suite

Include Page
c:LDRA_Vc:
LDRA_V
Section

86 D

Section

Partially Implemented

...

MITRE CWE: CWE-134, "Uncontrolled Format String"

Bibliography

Wiki Markup\[[Open Group 2004|AA. Bibliography#Open Group 04] \] [{{syslog()}}|http://www.opengroup.org/onlinepubs/009695399/toc.htm] \[[Seacord 2005|AA. Bibliography#Seacord 05]\] Chapter 6, "Formatted Output" \[[Viega 2005|AA. Bibliography#Viega 05]\] Section
[Seacord 2005] Chapter 6, "Formatted Output"
[Viega 2005] Section 5.2.23, "Format string problem"

...

FIO00-C. Take care when creating format strings      09. Input Output (FIO)      FIO31-C. Do not open a file that is already open