...
The following table shows a list of C standard library functions that provide limited or no error checking and reporting along with preferable alternatives:
Function | Preferable | Comments |
|---|---|---|
|
| No error indication, undefined behavior on error |
|
| No error indication, undefined behavior on error |
|
| No error indication, undefined behavior on error |
|
| No error indication, undefined behavior on error |
|
| No error indication, silent failure on error |
|
| No error indication, silent failure on error |
ctime | asctime/localtime | Undefined behavior if |
Noncompliant Code Example (atoi())
...
The atoi(), atol(), and atoll() functions convert the initial portion of a string token to int, long int, and long long int representation respectively. Except for the behavior on error, they are equivalent as follows:
Call | Equivalent on Success |
|---|---|
|
|
|
|
|
|
Unfortunately, atoi() and related functions lack a mechanism for reporting errors for invalid values. Specifically, the atoi(), atol(), and atoll() functions
- Do not need to set
errnoon an error. - Have undefined behavior if the value of the result cannot be represented. (See undefined behavior 119118 of Annex J of the C Standard.)
- Return 0 if the string does not represent an integer (which is indistinguishable from a correctly formatted, zero-denoting input string), but the C Standard only specifies the behavior of these functions on success.
...
Both the noncompliant code example and the compliant solution are taken from INT06ERR34-C. Use strtol() or a related function to convert a string token to an integerDetect errors when converting a string to a number.
Noncompliant Code Example (rewind())
...
Although it is rare for a violation of this rule to result in a security vulnerability, it can easily result in lost or misinterpreted data.
Recommendation | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level | |
|---|---|---|---|
ERR07-C | Medium | Probable | Yes |
Yes |
P12 |
L1 |
Automated Detection
This rule in general cannot be detected, although various examples can be detected by simply scanning for functions that have equivalent functions with better error handling.
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| bad-function | Fully checked | ||||||
| Axivion Bauhaus Suite |
| CertC-ERR07 | |||||||
| Helix QAC |
| C5046 | |||||||
| LDRA tool suite |
| 44 S, 593 S, 594 S | Partially implemented | ||||||
| Parasoft C/C++test |
| CERT_C-ERR07-a | The 'atof', 'atoi', 'atol' and 'atoll' functions from the 'stdlib.h' or 'cstdlib' library should not be used | ||||||
| PC-lint Plus |
| 586 | Fully supported | ||||||
| RuleChecker |
| bad-function | Fully checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| MITRE CWE | CWE-20, Improper Input Validation CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-91, XML Injection (aka Blind XPath Injection) CWE-94, Improper Control of Generation of Code ('Code Injection') CWE-114, Process Control CWE-601, URL Redirection to Untrusted Site ('Open Redirect') CWE-676, Use of potentially dangerous function |
Bibliography
| [Klein 2002] | "Bullet Proof Integer Input Using strtol()" |
...
...