Errors can occur when incorrect assumptions are made about the type of data being read. These assumptions may be violated, for example, when binary data has been read from a file instead of text from a user's terminal or the output of a process is piped to stdin. (see See FIO14-C. Understand the difference between text mode and binary mode with file streams.) . On some systems, it may also be possible to input a null byte (as well as other binary codes) from the keyboard.
Subclause 7.2123.7.2 of the of the C Standard paragraph 3 [ISO/IEC 9899:20112024] says,
The fgets function returns s if successful. If end-of-file is encountered and no characters have been read into the array, the contents of the array remain unchanged and a null pointer is returned. If a read error occurs during the operation, the members of the array have unspecified values and a null pointer is returned.
The wide-character function fgetws() has the same behavior. Therefore, if fgets() or fgetws() returns a non-null pointer, it is safe to assume that the array contains data. However, it is erroneous to assume that the array contains a nonempty string because the data may contain null characters.
...
Incorrectly assuming that character data has been read can result in an out-of-bounds memory write or other flawed logic.
Rule | Severity | Likelihood |
|---|
Detectable | Repairable | Priority | Level |
|---|---|---|---|
FIO37-C | High | Probable | Yes |
Yes |
P18 | L1 |
Automated Detection
Tool | Version | Checker | Description | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported: Astrée reports defects due to returned (empty) strings. | ||||||||
| Axivion Bauhaus Suite |
| CertC-FIO37 | ||||||||
| CodeSonar |
| (general) |
Considers the possibility that fgets() and fgetws() may return empty strings |
| (Warnings of various classes may be triggered depending on subsequent operations on those strings. For example, the |
| noncompliant code example cited above would trigger a |
| buffer underrun warning.) | |
| Compass/ROSE |
Could detect some violations of this rule |
(In particular, it could detect the noncompliant code example by searching for |
.) | ||||||||||
| Cppcheck Premium |
| premium-cert-fio37-c | ||||||||
| Helix QAC |
| DF4911, DF4912, DF4913 | ||||||||
| Klocwork |
| CERT.FIO.FGETS | ||||||||
| LDRA tool suite |
| 44 S | Enhanced enforcement | |||||||
| Parasoft C/C++test |
| CERT_C-FIO37-a | Avoid accessing arrays out of bounds | |||||||
| Polyspace Bug Finder |
| CERT C: Rule FIO37-C | Checks for use of indeterminate string (rule fully covered) |
5.0
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard |
| FIO14-C. Understand the difference between text mode and binary mode with file streams | Prior to 2018-01-12: CERT: Unspecified Relationship | |
| CERT C Secure Coding Standard | FIO20-C. Avoid unintentional truncation when using fgets() or fgetws() |
CWE-241, Improper Handling of Unexpected Data Type
| Prior to 2018-01-12: CERT: Unspecified Relationship | ||
| CWE 2.11 | CWE-241, Improper Handling of Unexpected Data Type | 2017-07-05: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-241 and FIO37-C
CWE-241 = Union( FIO37-C, list) where list =
- Improper handling of unexpected data type that does not come from the fgets() function.
Bibliography
| [ISO/IEC 9899: |
| 2024] | Subclause 7. |
23.7.2, "The |
31.3.2, "The |
| [Lai 2006] |
| [Seacord 2013] | Chapter 2, "Strings" |
...
...