Subclause The C Standard, 7.2123.9.3 of the C Standard paragraph 2 [ISO/IEC 9899:20112024], defines the following behavior for fsetpos():
The
fsetposfunction sets thembstate_tobject (if any) and file position indicator for the stream pointed to bystreamaccording to the value of the object pointed to bypos, which shall be a value obtained from an earlier successful call to thefgetposfunction on a stream associated with the same file.
Consequently, using Invoking the fsetpos() function with any other values for pos results in is undefined behavior 181.
Noncompliant Code Example
This noncompliant code example attempts to read three values from a file and then set the cursor file position pointer back to the beginning of the file:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> #include <string.h> enum { NO_FILE_POS_VALUES = 3 }; int opener(FILE *file) { int rc; fpos_t offset; memset(&offset, 0, sizeof(offset)); if (file == NULL) { return -1; } /* Read in data from file */ rc = fsetpos(file, &offset); if (rc != 0 ) { return rc; } return 0; } |
However, only Only the return value of an fgetpos() call is a valid argument to fsetpos(); passing an a value of type fpos_t value that was created in any other way is undefined behavior 181.
Compliant Solution
In this compliant solution, the initial file position indicator is stored by first calling fgetpos(), which is used to restore the state to the beginning of the file in the later call to fsetpos():
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> #include <string.h> enum { NO_FILE_POS_VALUES = 3 }; int opener(FILE *file) { int rc; fpos_t offset; if (file == NULL) { return return -1; } rc = fgetpos(file, &offset); if (rc != 0 ) { return return rc; } /* Read in data from file */ rc = fsetpos(file, &offset); if (rc != 0 ) { return return rc; } return 0; } |
Risk Assessment
Misuse of the fsetpos() function can position a file stream read position indicator to a an unintended location in the file. If this location holds data provided by an attacker, the misuse of this function could be exploited to overwrite the values of objects being read from the file.
Rule | Severity | Likelihood |
|---|
Detectable | Repairable | Priority | Level |
|---|---|---|---|
FIO44-C | Medium | Unlikely | No |
No |
P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| (customization) | Users can add a custom check for violations of this constraint. | ||||||
| Compass/ROSE |
Can detect common violations of this rule. However, it cannot handle cases in which the value returned by |
5.0
| Cppcheck Premium |
| premium-cert-fio44-c | |||||||
| Helix QAC |
| DF4841, DF4842, DF4843 | |||||||
| Klocwork |
| CERT.FSETPOS.VALUE |
| LDRA tool suite |
| 82 D | Fully implemented | ||||||
| Parasoft C/C++test |
| CERT_C-FIO44-a | Only use values for fsetpos() that are returned from fgetpos() | ||||||
| Polyspace Bug Finder |
| CERT C: Rule FIO44-C | Checks for invalid file position (rule partially covered) | ||||||
| PVS-Studio |
| V1035 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|
| ISO/IEC TS 17961:2013 | Using a value for fsetpos other than a value returned from fgetpos [xfilepos] | Prior to 2018-01-12: CERT: Unspecified Relationship |
Bibliography
...
...