Errors can occur when incorrect assumptions are made about the type of data being read. These assumptions may be violated, for example, when binary data has been read from a file instead of text from a user's terminal or the output of a process is piped to stdin. (See recommendation FIO14-C. Understand the difference between text mode and binary mode with file streams.) On some systems, it may also be possible to input a null byte (as well as other binary codes) from the keyboard.
C99, Section Subclause 7.1923.7.2 , "The fgets function", paragraph 3 saysof the C Standard paragraph 3 [ISO/IEC 9899:2024] says,
The fgets function returns s if successful. If end-of-file is encountered and no characters have been read into the array, the contents of the array remain unchanged and a null pointer is returned. If a read error occurs during the operation, the members of the array have unspecified values and a null pointer is returned.
The wide-character function fgetws() has the same behavior. Therefore, if fgets() returns or fgetws() returns a non-null pointer, we can assume it actually filled it is safe to assume that the array with contains data. However, assuming that it filled it is erroneous to assume that the array with a non-empty null-terminated byte string (NTBS) is erroneous contains a nonempty string because the data it placed in the array may contain null characters.
Noncompliant Code Example
This noncompliant code example attempts to remove the trailing new-line newline (\n) from an input line. The fgets() function is typically used to read a newnewline-line terminated - line of input from a stream. It takes a size parameter for the destination buffer and copies, at most, size - 1 characters from a stream to a character array.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> #include <string.h> enum { BUFFER_SIZE = 1024 }; void func(void) { char buf[BUFSIZ + 1BUFFER_SIZE]; if (fgets(buf, sizeof(buf), stdin) == NULL) { /* Handle error */ } buf[strlen(buf) - 1] = '\0'; } |
The strlen() function computes the length of a string by determining the number of characters that precede the terminating null character. A problem occurs if the first character read from the input by fgets() happens to be a null character. This may occur, for example, if a binary data file is read by the fgets() call [Lai 2006]. If the first character in buf is a null character, strlen(buf) returns 0, the expression strlen(buf) - 1 wraps around to a large positive value, and a write-outside-array-bounds error occurs.
Compliant Solution
This compliant solution uses strchr() to replace the new-line newline character in the string , if it exists. (See rue FIO36-C. Do not assume a new-line character is read when using fgets().):
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> #include <string.h> enum { BUFFER_SIZE = 1024 }; void func(void) { char buf[BUFSIZ + 1BUFFER_SIZE]; char *p; if (fgets(buf, sizeof(buf), stdin)) { p = strchr(buf, '\n'); if (p) { *p = '\0'; } } else { /* Handle error condition */ } } |
Risk Assessment
Assuming Incorrectly assuming that character data has been read can result in an out-of-bounds memory write or other flawed logic.
Rule | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level |
|---|---|---|
FIO37-C |
High | Probable |
Yes |
Yes |
P18 | L1 |
Automated Detection
Tool | Version | Checker | Description |
|---|
| Astrée |
Fortify SCA
| Supported: Astrée reports defects due to returned (empty) strings. | |||||||||
| Axivion Bauhaus Suite |
| CertC-FIO37 | ||||||||
| CodeSonar |
| (general) | Considers the possibility that fgets() and fgetws() may return empty strings (Warnings of various classes may be triggered depending on subsequent operations on those strings. For example, the noncompliant code example cited above would trigger a buffer underrun warning.) |
| Section |
|---|
V. 5.0 |
| Compass/ROSE |
Could detect some violations of this rule |
(In particular, it could detect |
the noncompliant code example by searching for |
|
, which could be |
−1. The crux of this rule is that a string returned by |
they would need to |
be enumerated before ROSE could detect them.) | ||||||||||
| Cppcheck Premium |
| premium-cert-fio37-c | ||||||||
| Helix QAC |
| DF4911, DF4912, DF4913 | ||||||||
| Klocwork |
| CERT.FIO.FGETS | ||||||||
| LDRA tool suite |
| 44 S | Enhanced enforcement | |||||||
| Parasoft C/C++test |
| CERT_C-FIO37-a | Avoid accessing arrays out of bounds | |||||||
| Polyspace Bug Finder |
| CERT C: Rule FIO37-C | Checks for use of indeterminate string (rule fully covered) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | FIO14-C. Understand the difference between text mode and binary mode with file streams | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C |
...
| Secure Coding Standard | FIO20-C. Avoid unintentional truncation when using fgets() or fgetws() | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-241, Improper Handling of Unexpected Data Type | 2017-07-05: CERT: |
...
| Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-241 and FIO37-C
CWE-241 = Union( FIO37-C, list) where list =
- Improper handling of unexpected data type that does not come from the fgets() function.
Bibliography
...
| 2024] | Subclause 7. |
...
23.7.2, "The |
...
Function" |
MITRE CWE: CWE-119, "Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer"
MITRE CWE: CWE-241, "Failure to Handle Wrong Data Type"
...
...
| 2013] | Chapter 2, "Strings" |
...