...
This compliant solution uses feof() and ferror() to test for whether the EOF was an actual character or a real EOF because of end-of-file and ferror() to test for or errors:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
void func(void) {
int c;
do {
c = getchar();
} while (c != EOF);
if || (!feof(stdin)) {
/* Handle end of file */
} else if (&& !ferror(stdin)) {
/* Handle file error */
} else {
/* Received a character that resembles EOF; handle error */
}
)));
}
|
Noncompliant Code Example (Nonportable)
...
This compliant solution declares c wc to be a wint_t to match the integer type returned by getwc(). Furthermore, it does not rely on WEOF to determine end-of-file definitively.
...
Incorrectly assuming characters from a file cannot match EOF or WEOF has resulted in significant vulnerabilities, including command injection attacks. (See the *CA-1996-22 advisory.)
Rule | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level |
|---|---|---|
FIO34-C | High | Probable |
Yes | Yes |
P18 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| conversion_overflow essential-type-assign | Soundly supported | ||||||
| Axivion Bauhaus Suite |
| CertC-FIO34 | |||||||
| CodeSonar |
| LANG.CAST.COERCE | Coercion alters value | ||||||
| Compass/ROSE |
| Coverity |
| CHAR_IO | Identifies defects when the return value of | ||||||
| Cppcheck Premium |
| premium-cert-fio34-c | |||||||
| ECLAIR | 1.2 | CC2.FIO34 | Partially implemented | ||||||
| Helix QAC |
| C2676, C2678 C++2676, C++2678, C++3001, C++3010, C++3051, C++3137, C++3717 | |||||||
| Klocwork |
| CWARN.CMPCHR.EOF |
| LDRA tool suite |
| 662 S | Fully implemented | ||||||
| Parasoft C/C++test |
|
|
|
CERT_C-FIO34-a | The macro EOF should be compared with the unmodified return value from the Standard Library function | ||||||||
| Checks for character values absorbed into EOF (rule partially covered) |
| Splint | 3.1.1 |
| RuleChecker |
| essential-type-assign | Supported |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | STR00-C. Represent characters using an appropriate type | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C Secure Coding Standard | INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT Oracle Secure Coding Standard for Java | FIO08-J. Use an int to capture the return value of methods that read a character or byte | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961:2013 | Using character values that are indistinguishable from EOF [chreof] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-197 | 2017-06-14: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-197 and FIO34-C
Independent( FLP34-C, INT31-C) FIO34-C = Subset( INT31-C)
Therefore: FIO34-C = Subset( CWE-197)
Bibliography
| [Kettlewell 2002] | Section 1.2, "<stdio.h> and Character Types" |
| [NIST 2006] | SAMATE Reference Dataset Test Case ID 000-000-088 |
| [Summit 2005] | Question 12.2 |