According to C99, if the fgets() function failsIf either of the C Standard fgets() or fgetws() functions fail, the contents of its parameterized array are undefined. Therefore, the array being written is indeterminate. (See undefined behavior 175.) It is necessary to reset the string to a known value to avoid possible errors on subsequent string manipulation functions.
...
Noncompliant Code Example
In this noncompliant code example, an error flag is set upon if fgets() failure fails. However, buf is not reset , and will have unknown contents.has indeterminate contents:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> enum { BUFFER_SIZE = 1024 }; void func( char buf[1024]; FILE *file;) { /* Initialize file */char buf[BUFFER_SIZE]; if (fgets(buf, 1024sizeof(buf), file) == NULL) { /* setSet error flag and continue */ } printf("Read in: %s\n", buf); } } |
Compliant Solution
After fgets failsIn this compliant solution, buf is set to an empty string if fgets() fails. The equivalent solution for fgetws() would set buf to an error messageempty wide string.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> enum { BUFFER_SIZE = 1024 }; void func( char buf[1024]; FILE *file;) { /* Initialize file */char buf[BUFFER_SIZE]; if (fgets(buf, 1024sizeof(buf), file) == NULL) { /* setSet error flag and continue */ strcpy( *buf, "fgets failed")= '\0'; } printf("Read in: %s\n", buf); } } |
Exceptions
FIO40-C-EX1: If the string goes out of scope immediately following the call to fgets() or fgetws() or is not referenced in the case of a failure, it need not be reset.
Risk Assessment
Making invalid assumptions about the contents of the an array set modified by fgets on failure could lead to undefined behavior, possibly resulting in () or fgetws() can result in undefined behavior 175 and abnormal program termination.
Rule | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level |
|---|---|---|
FIO40-C |
1 (low)
1 (unlikely)
2 (medium)
P2
L3
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Mitigation Strategies
Static Analysis
Since the nature of this issue and the solution recommended by this rule is local, simple static analysis should be effective at assuring compliance with this rule. A simple search should be able to find calls to fgets() and local analysis should be effective at finding the code that applies when a NULL is returned as well as determining if the returned string is reset.
This rule also lends itself to inclusion in a global rules set that can be shipped with a static analysis tool.
Dynamic Analysis
It may be possible to assure compliance with this rule with some run-time mechanism. However, it seems unlikely that dynamic analysis would be chosen over the straight forward static analysis considering the well known disadvantages of dynamic analysis (performance, hard to confirm that all cases are covered, etc.).
Manual inspection
Manual inspection (especially if assisted by tooling to locate all calls to fgets()) could be effective and relatively efficient.
Testing
Due to the low level of this rule (all calls to fgets()), it seems unlikely that testing would be used to provide assurance of a codebase's compliance.
References
Low | Probable | Yes | Yes | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| LANG.MEM.UVAR | Uninitialized Variable | ||||||
| Cppcheck Premium |
| premium-cert-fio40-c | |||||||
| Helix QAC |
| DF4861, DF4862, DF4863 | |||||||
| LDRA tool suite |
| 44 S | Enhanced enforcement | ||||||
| Parasoft C/C++test |
| CERT_C-FIO40-a | Reset strings on fgets() or fgetws() failure | ||||||
| CERT C: Rule FIO40-C | Checks for use of indeterminate string (rule partially covered) | |||||||
| PVS-Studio |
| V1024 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
Wiki Markup