SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 127

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The atoi(), atol()atoll(), and atof() functions convert the initial portion of a string token to int, long int, long long int, and double representation representation, respectively. Except for the behavior on error ([ISO/IEC 9899:2024], s7.24.1.2), they are equivalent to

Code Block
atoi: (int)strtol(nptr, (char **)NULL, 10)
atol: strtol(nptr, (char **)NULL, 10)
atoll: strtoll(nptr, (char **)NULL, 10)
atof: strtod(nptr, (char **)NULL)

...

  • do not need to set errno on an error;
  • have have undefined behavior 16 if the value of the result cannot be represented;
  • return 0 (or 0.0) if the string does not represent an integer (or decimal), which is indistinguishable from a correctly formatted, zero-denoting input string.

...

Code Block
bgColor#ccccff
langc
#include <errno.h>
#include <limits.h>
#include <stdlib.h>
#include <stdio.h>
 
void func(const char *buff) {
  char *end;
  int si;

  errno = 0;

  const long sl = strtol(buff, &end, 10);

  if (end == buff) {
    (void) fprintf(stderr, "%s: not a decimal number\n", buff);
  } else if ('\0' != *end) {
    (void) fprintf(stderr, "%s: extra characters at end of input: %s\n", buff, end);
  } else if ((LONG_MIN == sl || LONG_MAX == sl) && ERANGE == errno) {
    (void) fprintf(stderr, "%s out of range of type long\n", buff);
  } else if (sl > INT_MAX) {
    (void) fprintf(stderr, "%ld greater than INT_MAX\n", sl);
  } else if (sl < INT_MIN) {
    (void) fprintf(stderr, "%ld less than INT_MIN\n", sl);
  } else {
    si = (int)sl;

    /* Process si */
  }
}

...

It is rare for a violation of this rule to result in a security vulnerability unless it occurs in security-sensitive code. However, violations of this rule can easily result in lost or misinterpreted data. 

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

ERR34-C

Medium

Unlikely

Medium

Yes

Yes

P4

P6

L3

L2

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-ERR34
Clang
Include Page
Clang_39_V
Clang_39_V
cert-err34-cChecked by clang-tidy
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.ATOF
BADFUNC.ATOI
BADFUNC.ATOL
BADFUNC.ATOLL

(customization)

Use of atof
Use of atoi
Use of atol
Use of atoll

Users can add custom checks for uses of other undesirable conversion functions.

Compass/ROSE

 

 



Can detect violations of this recommendation by flagging invocations of the following functions:

    • atoi()
    • scanf(), fscanf(), sscanf()
    • Others?
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5030

C++5016


Klocwork
Include Page
Klocwork_V
Klocwork_V

CERT.ERR.CONV.STR_TO_NUM
MISRA.STDLIB.ATOI

 

SV.BANNED.RECOMMENDED.SCANF


LDRA tool suite
Include Page
LDRA_V
LDRA_V

44 S

Fully implemented

Parasoft C/C++test
Include Page
c:
Parasoft_V
c:
Parasoft_V
MISRA2004-20_10Fully implementedPRQA QA-C++ Include Pagecplusplus:PRQA QA-C++_Vcplusplus:PRQA QA-C++_V

5016

 PRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_v5030Partially implemented

CERT_C-ERR34-a

The 'atof', 'atoi', 'atol' and 'atoll' functions from the 'stdlib.h' or 'cstdlib' library should not be used
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

586

Assistance provided

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule ERR34-CChecks for unsafe conversion from string to numeric value (rule fully covered)
SonarQube C/C++ Plugin
Include Page
SonarQube C/C++ Plugin_V
SonarQube C/C++ Plugin_V
S989
 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT CINT06-CPP. Use strtol() or a related function to convert a string token to an integerPrior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-676, Use of potentially dangerous function2017-05-18: CERT: Rule subset of CWE
CWE 2.11CWE-7582017-06-29: CERT: Partial overlap

CERT-CWE Mapping Notes

Key here for mapping notes

...

CWE-391 = Union( ERR34-C, list) where list =


  • Failure to errors outside of string-to-number conversion functions


CWE-676 and ERR34-C


  • Independent( ENV33-C, CON33-C, STR31-C, EXP33-C, MSC30-C, ERR34-C)



  • ERR34-C implies that string-parsing functions (eg atoi() and scanf()) are dangerous.



  • CWE-676 = Union( ERR34-C, list) where list =



  • Invocation of dangerous functions besides the following:



  • atoi(), atol(), atoll(), atof(), The scanf()family


CWE-758 and ERR34-C

Independent( INT34-C, INT36-C, MSC37-C, FLP32-C, EXP33-C, EXP30-C, ERR34-C, ARR32-C)

Intersection( CWE-758, ERR34-C) =


  • Undefined behavior arising from a non-representable numeric value being parsed by an ato*() or scanf() function


CWE-758 – ERR34-C =


  • Undefined behavior arising from using a function outside of the ato*() or scanf() family


ERR34-C – CWE-758 =


  • The ato*() or scanf() family receives input that is not a number when trying to parse one


Bibliography

[ISO/IEC 9899:
2011
2024]Subclause 7.
22
24.1, "Numeric conversion
functions"
Subclause 7.21.6, "Formatted input/output
functions"
[Klein 2002]
 

...



...