The C Standard, subclause 7.21.8.2 [ISO/IEC 9899:2011], defines the fwrite() function as follows:
Synopsis
size_t fwrite(const void *restrict ptr, size_t size, size_t nmemb, FILE *restrict stream);Description
The
fwrite()function writes, from the array pointed to byptr, up tonmembelements whose size is specified bysize, to the stream pointed to bystream. For each object,sizecalls are made to thefputc()function, taking the values (in order) from an array ofunsigned charexactly overlaying the object. The file position indicator for the stream (if defined) is advanced by the number of bytes successfully written. If an error occurs, the resulting value of the file position indicator for the stream is indeterminate
| Wiki Markup |
|---|
The POSIX standard defines the {{write()}} interface as follows \[1\]. |
ssize_t write (int filedes, const void *buffer, size_t size);
The write function writes up to size bytes from buffer to the file with descriptor filedes. The data in buffer is not necessarily a character string and a null character is output like any other character.
The definition does not state that the writefwrite() function will stop copying characters into the file if a null character is encountered. Therefore, when writing a C null-terminated byte string in to a file using the writefwrite() function, always use the size length of the buffer string as the size string plus 1 (to account for the null character) as the nmemb parameter.
Noncompliant Code Example
In the following piece of codethis noncompliant code example, the size of the buffer is stored in size1, but size2 number of characters are written in to the file. If size2 is greater than size1, write() will not stop copying characters at the null character.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> #include <stdlib.h> #include <fcntl.h> int main(){ char *buffer = NULL; longsize_t size1,; size_t size2; FILE *filedes; /* Assume size1 int filedes; and size2 are appropriately initialized */ filedes = openfopen("out.txt", O_CREAT | O_WRONLY"w+"); if (filedes <== 0NULL) { /* Handle return 0; error */ } buffer = (char *)calloc( 1, size1); if (!buffer) == NULL) { /* Handle return 0; write(filedes, buffer, size2error */ } fwrite(buffer, 1, size2, filedes); free(buffer); buffer = NULL; closefclose(filedes); return 0; } |
Compliant
...
Solution
This compliant solution ensures The following code will ensure that the right correct number of characters are written in to the file.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> #include <stdlib.h> #include <fcntl<string.h> int main(){ char *buffer = NULL; longsize_t size1,; size_t size2; FILE int *filedes; /* Assume size1 is appropriately initialized */ filedes = openfopen("out.txt", O_CREAT | O_WRONLY"w+"); if (filedes <== 0NULL){ /* Handle return 0; error */ } buffer = (char *)calloc( 1, size1); if (!buffer) == NULL) { /* Handle return 0;error */ } /* ... * Accept characters in to the buffer. * Check for buffer overflow * ... */ size2 = strlen(buffer) + 1; write(filedesfwrite(buffer, buffer1, size2, filedes); free(buffer); buffer = NULL; closefclose(filedes); return 0; } |
References
Risk Assessment
Failure to follow the recommendation could result in a non-null-terminated string being written to a file, which will create problems when the program tries to read it back as a null-terminated byte string.
Recommendation | Severity | Likelihood | Detectable | Repairable | Priority | Level |
|---|---|---|---|---|---|---|
FIO18-C | Medium | Probable | No | No | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| LDRA tool suite |
| 44 S | Enhanced enforcement |
Related Guidelines
| SEI CERT C++ Coding Standard | VOID FIO18-CPP. Never expect write() to terminate the writing process at a null character |
Bibliography
| [ISO/IEC 9899:2011] | Subclause 7.21.8.2, "The fwrite Function" |
| [IEEE Std 1003.1:2013] | XSH, System Interfaces, fwrite |
...
Wiki Markup