...
| Wiki Markup |
|---|
This noncompliant code example shows the {{incorrect_password()}} function, which is called during identification and authentication if the specified user is not found, or the password is incorrect, to display an error message. The function accepts the name of the user as a null-terminated byte string referenced by {{user}}. This is an excellent example of data that originates from an untrusted, unauthenticated user. The function constructs an error message which is then output to {{stderr}} using the C99 standard {{fprintf()}} function \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\]. |
| Code Block |
|---|
|
#define MSG_FORMAT "%s cannot be authenticated.\n"
void incorrect_password(const char *user) {
/* user names are restricted to 256 characters or less */
static const char *msg_format = MSG_FORMAT;
size_t len = strlen(user) + sizeof(MSG_FORMAT);
char *msg = (char *)malloc(len);
if (!msg) {
/* handle error condition */
}
int ret = snprintf(msg, len, msg_format, user);
if (ret < 0 || ret >= len) {\
/* Handle error */
}
fprintf(stderr, msg);
free(msg);
msg = NULL;
}
|
...
This compliant solution fixes the problem by replacing the fprintf() call with a call to fputs(), which does not treat msg like a format string, but outputs it to stderr as is.
| Code Block |
|---|
|
#define MSG_FORMAT "%s cannot be authenticated.\n"
void incorrect_password(const char *user) {
/* user names are restricted to 256 characters or less */
static const char *msg_format = MSG_FORMAT;
size_t len = strlen(user) + sizeof(msg_format);
char *msg = (char *)malloc(len);
if (!msg) {
/* Handle error condition */
}
int ret = snprintf(msg, len, msg_format, user);
if (ret < 0 || ret >= len) {\
/* Handle error */
}
if (fputs(msg, stderr) == EOF) {
/* Handle error */
}
free(msg);
msg = NULL;
}
|
...
This simpler compliant solution passes the untrusted user input as one of the variadic arguments to fprintf() and not as part of the format string, eliminating the possibility of a format-string vulnerability.
| Code Block |
|---|
|
#define MSG_FORMAT "%s cannot be authenticated.\n"
void incorrect_password(const char *user) {
fprintf(stderr, MSG_FORMAT, user);
}
|
...
| Wiki Markup |
|---|
This noncompliant code example is exactly the same as the first noncompliant code example but uses the POSIX function {{syslog()}} \[[Open Group 04|AA. C References#Open Group 04]\] instead of the {{fprintf()}} function, which is also susceptible to format-string vulnerabilities. |
| Code Block |
|---|
|
#define MSG_FORMAT "%s cannot be authenticated.\n"
void incorrect_password(const char *user) {
/* user names are restricted to 256 characters or less */
static const char *msg_format = MSG_FORMAT;
size_t len = strlen(user) + sizeof(msg_format);
char *msg = (char *)malloc(len);
if (!msg) {
/* Handle error condition */
}
int ret = snprintf(msg, len, msg_format, user);
if (ret < 0 || ret >= len) {\
/* Handle error */
}
syslog(LOG_INFO, msg);
free(msg);
msg = NULL;
}
|
...
This compliant solution passes the untrusted user input as one of the variadic arguments to syslog() instead of including it in the format string.
| Code Block |
|---|
|
#define MSG_FORMAT "%s cannot be authenticated.\n"
void incorrect_password(const char *user) {
syslog(LOG_INFO, MSG_FORMAT, user);
}
|
...
| Wiki Markup |
|---|
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.6, "Formatted input/output functions"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "RST Injection"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 134|http://cwe.mitre.org/data/definitions/134.html], "Uncontrolled Format String"
\[[Open Group 04|AA. C References#Open Group 04]\] [{{syslog()}}|http://www.opengroup.org/onlinepubs/009695399/toc.htm]
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 6, "Formatted Output"
\[[Viega 05|AA. C References#Viega 05]\] Section 5.2.23, "Format string problem" |
...
FIO16-C. Limit access to files by creating a jail
Image Added 09. Input Output (FIO) FIO31-C. Do not simultaneously open the same file multiple times
