C99 provides Section 7.27.3.1 of the C Standard [ISO/IEC 9899:20] provides the following sample implementation of the asctime() function in Section 7.23.3.1:
| Code Block |
|---|
char *asctime(const struct tm *timeptr)
{
static const char wday_name[7][3] = {
"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"
};
static const char mon_name[12][3] = {
"Jan", "Feb", "Mar", "Apr", "May", "Jun",
"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
};
static char result[26];
sprintf(result, "%.3s %.3s%3d %.2d:%.2d:%.2d %d\n",
wday_name[timeptr->tm_wday],
mon_name[timeptr->tm_mon],
timeptr->tm_mday, timeptr->tm_hour,
timeptr->tm_min, timeptr->tm_sec,
1900 + timeptr->tm_year);
return result;
}
|
This function is supposed to output a character string of 26 positions at most, including the terminating zero. If we count the length indicated by the format directives, we arrive at 25. Taking into account the terminating zero, the array size of the string appears sufficient.
However, this implementation assumes that the values of the struct tm data in timeptr are within normal ranges and does nothing to enforce thisthe range limit. If any of the values print more characters than expected, the sprintf() function may overflow the result array. For instance, if tm_year has the value 12345, then 27 characters (including the terminating null character) are printed, resulting in a buffer overflow.
The asctime() function primarily exists for compatibility with older implementations. Also, the asctime() function does not support localized date and time formats. The POSIX standard developers decided to mark the asctime() function obsolescent even though they are in C99 though it is in the C Standard because of the possibility of buffer overflow.
C99 C also provides the strftime() function, which can be used to avoid these problems.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
struct tm time_tm;
/* initialize time_tm */
char *time = asctime(&time_tm);
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
int validate_tm(struct tm* time) {
/*
* The range of valid values of the tm_sec member is [0, 60]
* inclusive (to allow for leap seconds).
*/
if (time->tm_sec < 0 || time->tm_sec > 60) return 0;
if (time->tm_min < 0 || time->tm_min >= 60) return 0;
if (time->tm_hour < 0 || time->tm_hour >= 24) return 0;
if (time->tm_mday <= 0 || time->tm_mday > 31) return 0;
if (time->tm_mon < 0 || time->tm_mon >= 12) return 0;
/* While other years are legit, they may overflow asctime()'s buffer */
if (time->tm_year < -999 || time->tm_year > 9999) return 0;
if (time->tm_wday < 0 || time->tm_wday >= 7) return 0;
if (time->tm_yday < 0 || time->tm_yday >= 366) return 0;
return 1;
}
struct tm time_tm;
/* initialize time_tm */
if (!validate_tm(&time_tm)) {
/* handle error */
}
char *time = asctime(&time_tm);
|
...
The strftime() function allows you to specify a more rigorous format , and also to specify the maximum size of the resulting time string.
| Code Block | ||||
|---|---|---|---|---|
| ||||
struct tm time;
const size_t maxsize = 26; /* or maximum size of time string */;
char s[maxsize];
const char *format = "%c"; /* current time representation for locale */
const struct tm *timeptr;
size_t size = strftime(s, maxsize, format, timeptr);
|
While this This call has the same effects as asctime(), but it ensures also ensures that no more than maxsize chars are printed, preventing buffer overflow.
...
On implementations that do not detect output-string-length overflow, it is possible to overflow the output buffers, resulting in a vulnerability.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC 9899:1999 Section 20 Section 7.2327.3.1, "The asctime function," and Section 7.2327.3.5, "The strftime function"
...
Sources
http://www.opengroup.org/onlinepubs/9699919799/functions/asctime.html
...