SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 71

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 72

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider v2.4 (sch jbop) (X_X)@==(Q_Q)@

...

Formatted output functions are particularly dangerous because many programmers are unaware of their capabilities (for example, they can write an integer value to a specified address using the %n conversion specifier).

...

Noncompliant Code Example

Wiki Markup
This non-compliantnoncompliant code example shows the {{incorrect_password()}} function, which is called during identification and authentication if the specified user is not found, or the password is incorrect, to display an error message. The function accepts the name of the user as a null-terminated byte string referenced by {{user}}.  This is an excellent example of data that originates from an untrusted, unauthenticated user.  The function constructs an error message which is then output to {{stderr}} using the C99 standard {{fprintf()}} function  \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\].

Code Block
bgColor#FFCCCC
void incorrect_password(const char const *user) {
  /* user names are restricted to 256 characters or less */
  static const char const *msg_format
    = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *) malloc(len);
  if (!msg) {
    /* handle error condition */
  }
  int ret = snprintf(msg, len, msg_format, user);
  if (ret < 0 || ret >= len) {\
    /* Handle Error */
  }
  fprintf(stderr, msg);
  free(msg);
  msg = NULL;
}

...

Code Block
bgColor#ccccff
void incorrect_password(const char const *user) {
  /* user names are restricted to 256 characters or less */
  static const char const *msg_format
    = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *) malloc(len);
  if (!msg) {
    /* handle error condition */
  }
  int ret = snprintf(msg, len, msg_format, user);
  if (ret < 0 || ret >= len) {\
    /* Handle Error */
  }
  if (fputs(msg, stderr) == EOF) {
    /* Handle Error */
  }
  free(msg);
  msg = NULL;
}

...

Code Block
bgColor#ccccff
void incorrect_password(const char const *user) {
  fprintf(stderr, "%s cannot be authenticated.\n", user);
}

...

Noncompliant Code Example (POSIX)

Wiki Markup
This non-compliantnoncompliant code example is exactly the same as the first non-compliantnoncompliant code example, but uses the POSIX function {{syslog()}} \[[Open Group 04|AA. C References#Open Group 04]\] instead of the {{fprintf()}} function, which is also susceptible to format-string vulnerabilities.

Code Block
bgColor#FFCCCC
void incorrect_password(const char const *user) {
  /* user names are restricted to 256 characters or less */
  static const char const *msg_format
    = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *) malloc(len);
  if (!msg) {
    /* handle error condition */
  }
  int ret = snprintf(msg, len, msg_format, user);
  if (ret < 0 || ret >= len) {\
    /* Handle Error */
  }
  syslog(LOG_INFO, msg);
  free(msg);
  msg = NULL;
}

...

Code Block
bgColor#ccccff
void incorrect_password(const char const *user) {
  syslog(LOG_INFO, "%s cannot be authenticated.", user);
}

...