Never call a formatted I/O function with a format string containing a tainted value . An attacker who can fully or partially control the contents of a format string can crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location. Consequently, the attacker can execute arbitrary code with the permissions of the vulnerable process [Seacord 2013b]. Formatted output functions are particularly dangerous because many programmers are unaware of their capabilities. For example, formatted output functions can be used to write an integer value to a specified address using the %n conversion specifier.
Noncompliant Code Example
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| IO.INJ.FMT | Format string injection | ||||||
| |||||||||
| Coverity | 6.5 | TAINTED_STRING_WARNING | Fully implemented | ||||||
5.0 | |||||||||
| GCC |
| Can detect violations of this rule when the | |||||||
| SV.FMTSTR.GENERIC | ||||||||
| 86 D | Partially Implemented | |||||||
| Polyspace Bug Finder | R2016a | Tainted string format | Input format argument is from an unsecure source | ||||||
|
...