SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 162

changes.mady.by.user Svyatoslav Razmyslov

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

Code Block
bgColor#FFCCCC
langc
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
 
void incorrect_password(const char *user) {
  int ret;
  /* User names are restricted to 256 or fewer characters */
  static const char msg_format[] = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *)malloc(len);
  if (msg !== NULL) {
    /* Handle error */
  }
  ret = snprintf(msg, len, msg_format, user);
  if (ret < 0) { 
    /* Handle error */ 
  } else if (ret >= len) { 
    /* Handle truncated output */ 
  }
  syslog(LOG_INFO, msg);
  free(msg);
}

...

Failing to exclude user input from format specifiers may allow an attacker to crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location and consequently execute arbitrary code with the permissions of the vulnerable process.

Rule

Severity

Likelihood

Detectable

RepairableRemediation Cost

Priority

Level

FIO30-C

High

Likely

Yes

MediumNo

P18

L1

Automated Detection

SECURITY-05 SECURITY-08 SECURITY-36Input format argument is from an unsecure source

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
 Supported via stubbing/taint analysis
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-FIO30Partially implemented
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

IO.INJ.FMT
MISC.FMT

Format string injection
Format string

Compass/ROSE



Coverity
Include Page
Coverity_V
Coverity_V

TAINTED_STRING

Implemented
Cppcheck Premium
Include Page
Cppcheck Premium_V
Cppcheck Premium_V


premium-cert-fio30-c


GCC
Include Page
GCC_V
GCC_V

Can detect violations of this rule when the -Wformat-security flag is used

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF4916, DF4917, DF4918


Klocwork
Include Page
Klocwork_V
Klocwork_V

SV.FMTSTR.GENERIC
SV.TAINTED.FMTSTR


LDRA tool suite
Include Page
LDRA_V
LDRA_V

86 D

Partially Implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-FIO30-a
CERT_C-FIO30-b
CERT_C-FIO30-c

Avoid calling functions printf/wprintf with only one argument other than string constant
Avoid using functions fprintf/fwprintf with only two parameters, when second parameter is a variable
Never use unfiltered data from an untrusted user as the format parameter

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

592

Partially supported: reports non-literal format strings

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder

R2016aTainted string format

_V

CERT C: Rule FIO30-C

Checks for tainted string format (rule partially covered)

PVS-Studio

Include Page
PVS-Studio

6.22

_V
PVS-Studio_V

V618
Splint
Include Page
Splint_V
Splint_V


Related Vulnerabilities

Two examples of format-string vulnerabilities resulting from a violation of this rule include Ettercap and Samba.

...