SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 80

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 81

changes.mady.by.user Gina DeCola

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The incorrect_password() function constructs the message in dynamically allocated memory by calculating the calculates the size of the message, allocating allocates dynamic storage, and then constructing constructs the message in the allocated memory using the snprintf() function. The addition operations are not checked for integer overflow because the length of the string referenced by user is known to be have a length of 256 or less. Because the %s characters are replaced by the string referenced by user in the call to snprintf(), one less byte is required to store the resulting string and terminating NULL-byte character. This is a common idiom for displaying the same message in multiple locations or when the message is difficult to build. The resulting code contains a format-string vulnerability, however, because the msg includes untrusted user input and is passed as the format-string argument in the call to fprintf().

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO30-C

high

likely

medium

P18

L1

...

Two recent examples of format-string vulnerabilities resulting from a violation of this rule include [Ettercap|http://ettercap.sourceforge.net/history.php] and [Samba|http://samba. org/samba/security/CVE-2007-0454.html]. In Ettercap v.NG-0.7.2, the ncurses user interface suffers from a format string defect. The {{curses_msg()}} function in {{ec_curses.c}} calls {{wdg_scroll_print()}}, which takes a format string and its parameters and passes it to {{vw_printw()}}. The {{curses_msg()}} function uses one of its parameters as the format string. This input can include user data, allowing for a format string vulnerability \[[VU#286468|AA. C References#VU286468]\]. The Samba AFS ACL mapping VFS plug-in fails to properly sanitize user-controlled file names that are used in a format specifier supplied to {{snprintf()}}. This [security flaw|BB. Definitions#security flaw] becomes exploitable when a user can write to a share that uses Samba's {{afsacl.so}} library for setting Windows NT access control lists on files residing on an AFS file system.

Automated Detection

Fortify SCA Version 5.0 can detect violations of this rule.

...

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.6, "Formatted input/output functions"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "RST Injection"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 134|http://cwe.mitre.org/data/definitions/134.html], "Uncontrolled Format String"
\[[Open Group 04|AA. C References#Open Group 04]\] [{{syslog()}}|http://www.opengroup.org/onlinepubs/009695399/toc.htm]
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 6, "Formatted Output"
\[[Viega 05|AA. C References#Viega 05]\] Section 5.2.23, "Format string problem"
\[[VU#286468|AA. C References#VU286468]\]
\[[VU#649732|AA. C References#VU649732]\]

...

FIO16-C. Limit access to files by creating a jail      09. Input Output (FIO)       FIO31-C. Do not simultaneously open the same file multiple times