Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: exception

...

Code Block
bgColor#ccccff
langc
#include <ctype.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

static bool isReservedName(const char *path) {
  /* This list of reserved names comes from MSDN */
  static const char *reserved[] = {
    "nul", "con", "prn", "aux", "com1", "com2", "com3",
    "com4", "com5", "com6", "com7", "com8", "com9",
    "lpt1", "lpt2", "lpt3", "lpt4", "lpt5", "lpt6",
    "lpt7", "lpt8", "lpt9"
  };
  bool ret = false;

/*
 * First, check to see if this is a device namespace, which
 * always starts with \\.\, because device namespaces are not
 * valid file paths.
 */

  if (!path || 0 == strncmp(path, "\\\\.\\", 4)) {
    return true;
  }

  /* Compare against the list of ancient reserved names */
  for (size_t i = 0; !ret &&
       i < sizeof(reserved) / sizeof(*reserved); ++i) {
   /*
    * Because Windows uses a case-insensitive file system, operate on
    * a lowercase version of the given filename. Note: This ignores
    * globalization issues and assumes ASCII characters.
    */
    if (0 == _stricmp(path, reserved[i])) {
      ret = true;
    }
  }
  return ret;
}

Exceptions

FIO32-C-EX1: These checks are intended for opening files specified by a user (or an untrusted source). Intentionally opening device files does not violate this rule.

Risk Assessment

Allowing operations that are appropriate only for regular files to be performed on devices can result in denial-of-service attacks or more serious exploits depending on the platform.

Rule

Severity

Likelihood

Detectable

RepairableRemediation Cost

Priority

Level

FIO32-C

Medium

Unlikely

No

NoMedium

P4P2

L3

Automated Detection

Parasoft C/C++testParasoft partially covered)4921, 4922, 4923

Tool

Version

Checker

Description

Compass/ROSE



Could detect some violations of this rule. This rule applies only to untrusted file name strings, and ROSE cannot tell which strings are trusted and which are not. The best heuristic is to note if there is any verification of the file name before or after the fopen() call. If there is any verification, then the file opening should be preceded by an lstat() call and succeeded by an fstat() call. Although that does not enforce the rule completely, it does indicate that the coder is aware of the lstat-fopen-fstat idiom

Cppcheck Premium

Include Page

Cppcheck Premium_V
Cppcheck Premium_V

premium-cert-fio32-c
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF4921, DF4922, DF4923


Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-FIO32-a

Protect against file name injection

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule FIO32-CChecks for inappropriate I/O operation on device files (rule PRQA QA-C
Include Page
PRQA QA-C_vPRQA QA-C_v4921, 4922, 4923Enforced by QACPRQA QA-C++
Include Page
cplusplus:PRQA QA-C++_Vcplusplus:PRQA QA-C++_Vfully covered)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...