...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT CSEI CERT C++ Coding Standard | INT06-CPP. Use strtol() or a related function to convert a string token to an integer | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11MITRE CWE | CWE-676, Use of potentially dangerous function | 2017-05-18: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-758 | 2017-06-29: CERT: Partial overlap |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-20
...
and ERR34-C
Intersection( ERR34-C, CWE-20) = Ø
CERT C does not define the concept of ‘input validation’. String-to-integer conversion (ERR34-C) may qualify as input validation, but this is outside the scope of the CERT rule.
CWE-391 and ERR34-C
CWE-391 = Union( ERR34-C, list) where list =
- Failure to errors outside of string-to-number conversion functions
CWE-676 and ERR34-C
- Independent( ENV33-C, CON33-C, STR31-C, EXP33-C, MSC30-C, ERR34-C)
- ERR34-C implies that string-parsing functions (eg atoi() and scanf()) are dangerous.
- CWE-676 = Union( ERR34-C, list) where list =
- Invocation of dangerous functions besides the following:
- atoi(), atol(), atoll(), atof(), The scanf()family
CWE-758 and ERR34-C
Independent( INT34-C, INT36-C, MSC37-C, FLP32-C, EXP33-C, EXP30-C, ERR34-C, ARR32-C)
Intersection( CWE-758, ERR34-C) =
- Undefined behavior arising from a non-representable numeric value being parsed by an ato*() or scanf() function
CWE-758 – ERR34-C =
- Undefined behavior arising from using a function outside of the ato*() or scanf() family
ERR34-C – CWE-758 =
- The ato*() or scanf() family receives input that is not a number when trying to parse one
Bibliography
| [ISO/IEC 9899:2011] | Subclause 7.22.1, "Numeric conversion functions" Subclause 7.21.6, "Formatted input/output functions" |
| [Klein 2002] |
...