Page History

...

Alternatively, input character data as a null-terminated byte string and convert to an integer value using strtol() or a related function. (See INT06ERR34-C. Use strtol() or a related function to convert a string token to an integerDetect errors when converting a string to a number.)

Noncompliant Code Example

...

Code Block

bgColor	#FFcccc
lang	c

long slnum_long;

if (scanf("%ld", &slnum_long) != 1) {
  /* handleHandle error */
}

In general, do not use scanf() to parse integers or floating-point numbers from input strings because the input could contain numbers not representable by the argument type.

...

This compliant example uses the Linux scanf() implementation's built-in error handling to validate input. On Linux platforms, scanf() sets errno to ERANGE if the result of integer conversion cannot be represented within the size specified by the format string [Linux 2008]. Note that this solution is a platform - dependent solution. Therefore, so it should be used only where portability is not a concern.

Code Block

bgColor	#ccccff
lang	c

long slnum_long;
errno = 0;

if (scanf("%ld", &slnum_long) != 1) {
  /* handleHandle error */
}
else if (ERANGE == errno) {
  if (puts("number out of range\n") == EOF) {
      /* Handle error */
  }
}

...

Code Block

bgColor	#ccccff
lang	c

char buff[25];
char *end_ptr;
long slnum_long;

if (fgets(buff, sizeof(buff), stdin) == NULL) {
  if (puts("EOF or read error\n") == EOF) {
    /* Handle error */
  }
} else {
  errno = 0;

  slnum_long = strtol(buff, &end_ptr, 10);

  if (ERANGE == errno) {
    if (puts("number out of range\n") == EOF) {
      /* Handle error */
    }
  }
  else if (end_ptr == buff) {
    if (puts("not valid numeric input\n") == EOF) {
      /* Handle error */
    }
  }
  else if ('\n' != *end_ptr && '\0' != *end_ptr) {
    if (puts("extra characters on input line\n") == EOF) {
      /* Handle error */
    }
  }
}

...

Although it is relatively rare for a violation of this recommendation to result in a security vulnerability, it can easily result in lost or misinterpreted data.

Recommendation	Severity	Likelihood

Remediation Cost

Detectable	Repairable	Priority	Level
INT05-C	Medium

medium

Probable

probable

Yes

high

No

P4

P8

L3

L2

Automated Detection

Fortify SCA

V. 5.0

Can detect violations of this recommendation with the CERT C Rule Pack.

Compass/ROSE

Tool	Version	Checker	Description

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-INT05

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

MISC.NEGCHAR

Negative Character Value

Compass/ROSE

Can detect violations of this recommendation. In particular, it notes uses of the scanf() family of functions where on the type specifier is a floating-point or integer type

.PRQA QA·C Include PagePRQA_VPRQA_V Fully implemented

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C5005

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

44 S

Enhanced Enforcement

Parasoft C/C++test

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-INT05-a

Avoid using unsafe string functions that do not check bounds

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

586

Fully supported

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++

...

Coding Standard

...

VOID INT05-CPP. Do not use input functions to convert character data if they cannot handle all possible inputs

ISO/IEC 9899:2011 Section 7.22.1.4, "The strtol, strtoll, strtoul, and strtoull functions," and Section 7.21.6, "Formatted input/output functions"

...

MITRE CWE

CWE-192,

...

Integer coercion error

...

CWE-197,

...

Numeric truncation error

...

Bibliography

[Klein 2002]
[Linux 2008]	`scanf(3)`

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 79

New Version Current

Key

Noncompliant Code Example

Automated Detection

Related Vulnerabilities

Related Guidelines

Bibliography