SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 85

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Use strtol() or a related function to convert a string token to an integer. These functions provide more robust error handling than alternative solutionsThe process of parsing an integer or floating-point number from a string can produce many errors. The string might not contain a number. It might contain a number of the correct type that is out of range (such as an integer that is larger than INT_MAX). The string may also contain extra information after the number, which may or may not be useful after the conversion. These error conditions must be detected and addressed when a string-to-number conversion is performed using a C Standard Library function.

The strtol(), strtoll(),  strtoimax(), strtoul(), and strtoull() functions strtoull(), strtoumax(), strtof(), strtod(), and strtold() functions convert the initial portion of a null-terminated byte string to long int, long long int, intmax_t, unsigned long int, and  unsigned long long int, uintmax_t, float, double, and long double representation, respectively.

Use one of the C Standard Library strto*() functions to parse an integer or floating-point number from a string. These functions provide more robust error handling than alternative solutions. Also, use the strtol() function to convert to a smaller signed integer type such as signed int, signed short, and signed char, testing the result against the range limits for that type. Use Likewise, use the strtoul() function to convert to a smaller unsigned integer type such as unsigned int, unsigned short, and unsigned char, and test the result against the range limits for that type.These  These range tests do nothing if the smaller type happens to have the same size and representation on for a particular compilerimplementation.

Noncompliant Code Example (atoi())

This noncompliant code example converts the string token stored in the static array buff to a signed integer value using the atoi() function.:

Code Block
bgColor#FFcccc
langc
#include <stdlib.h>
 
void func(const char *buff) {
  int si;

  if (argc > 1buff) {
    si = atoi(argv[1]buff);
  } else {
    /* Handle error */
  }
}

The atoi(), atol(), atoll(), and atollatof() functions convert the initial portion of a string token to int, long int, and long long int, and double representation, respectively. Except for the behavior on error ([ISO/IEC 9899:2024], s7.24.1.2), they are equivalent to

Code Block
atoi: (int)strtol(nptr, (char **)NULL, 10)
atol: strtol(nptr, (char **)NULL, 10)
atoll: strtoll(nptr, (char **)NULL, 10)
atof: strtod(nptr, (char **)NULL)

Unfortunately, atoi() and related functions lack a mechanism for reporting errors for invalid values. Specifically, the atoi(), atol(), and atoll() functionsthese functions:

  • do not need to set errno on an error.;
  • have have undefined behavior 16 if the value of the result cannot be represented.;
  • return 0 (or 0.0) if the string does not represent an integer (or decimal), which is indistinguishable from a correctly formatted, zero-denoting input string.

Noncompliant Example (sscanf())

This noncompliant example uses the sscanf() function to convert a string token to an integer. The sscanf() function has the same limitations as atoi().:

Code Block
bgColor#FFcccc
langc
#include <stdio.h>
 
void func(const char *buff) {
  int matches;
  
int si;

  if (argc > 1buff) {
    matches = sscanf(argv[1]buff, "%d", &si);
    if (matches != 1) {
      /* Handle error */
    }
  } else {
    /* Handle error */
  }
}

The sscanf() function returns the number of input items successfully matched and assigned, which can be fewer than provided for, or even zero 0 in the event of an early matching failure. However, sscanf() fails to report the other errors reported by strtol(), such as numeric overflow.

Compliant Solution (strtol())

The The strtol(), strtoll()strtoimax()), strtoul(), and strtoull() functions strtoull(), strtoumax(), strtof(), strtod(), and strtold() functions convert a null-terminated byte string to to long int, long long int, intmax_t, unsigned long int, and  unsigned long long int representation, uintmax_t, float, double, and long double representation, respectively.

This compliant solution uses strtol() to convert a string token to an integer and ensures that the value is in the range of int.:

Code Block
bgColor#ccccff
langc
int main(int argc, char *argv[]) {

  if (argc < 2)
    return EXIT_SUCCESS;

  const char* const str = argv[1];#include <errno.h>
#include <limits.h>
#include <stdlib.h>
#include <stdio.h>
 
void func(const char *buff) {
  char *end;
  int si;

  errno = 0;

  const long sl = strtol(strbuff, &end, 10);

  if (end == strbuff) {
    (void) fprintf(stderr, "%s: not a decimal number\n", strbuff);
  }
  else if ('\0' != *end) {
    (void) fprintf(stderr, "%s: extra characters at end of input: %s\n", strbuff, end);
  }
  else if ((LONG_MIN == sl || LONG_MAX == sl) && ERANGE == errno) {
    (void) fprintf(stderr, "%s out of range of type long\n", strbuff);
  }
  else if (sl > INT_MAX) {
    (void) fprintf(stderr, "%ld greater than INT_MAX\n", sl);
  }
  else if (sl < INT_MIN) {
    (void) fprintf(stderr, "%ld less than INT_MIN\n", sl);
  }
  else {
    si = (int)sl;

    /* processProcess si */

    return EXIT_SUCCESS;
  }
  return EXIT_FAILURE;
}

Risk Assessment

Although it It is rare for a violation of this recommendation rule to result in a security vulnerability, it can  unless it occurs in security-sensitive code. However, violations of this rule can easily result in lost or misinterpreted data. 

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

INT06

ERR34-C

Medium

medium

Unlikely

probable

Yes

medium

Yes

P8

P6

L2

Automated Detection

Tool

Version

Checker

Description

Fortify SCA

V. 5.0

 

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-ERR34
Clang
Include Page
Clang_39_V
Clang_39_V
cert-err34-cChecked by clang-tidy
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.ATOF
BADFUNC.ATOI
BADFUNC.ATOL
BADFUNC.ATOLL

(customization)

Use of atof
Use of atoi
Use of atol
Use of atoll

Users can add custom checks for uses of other undesirable conversion functions

Can detect violations of this recommendation with the CERT C Rule Pack

.

Compass/ROSE

 

 



Can detect violations of this recommendation by flagging invocations of the following functions:

    • atoi()
    • scanf(), fscanf(), sscanf()
  • others?
      • Others?
    Helix QAC

    Include Page
    Helix QAC_V
    Helix QAC_V

    C5030

    C++5016


    Klocwork
    Include Page
    Klocwork_V
    Klocwork_V

    CERT.ERR.CONV.STR_TO_NUM
    MISRA.STDLIB.ATOI
    SV.BANNED.RECOMMENDED.SCANF


    LDRA tool suite
    Include Page
    LDRA_V
    LDRA_V

    44 S

    Fully implemented

    .PRQA QA-C

    Parasoft C/C++test
    Include Page
    PRQA
    Parasoft_V
    PRQA
    Parasoft_V
    Warncall -wc atoi, -wc atolPartially implemented.

    CERT_C-ERR34-a

    		The 'atof', 'atoi', 'atol' and 'atoll' functions from the 'stdlib.h' or 'cstdlib' library should not be used
    PC-lint Plus

    Include Page
    PC-lint Plus_V
    PC-lint Plus_V

    586

    Assistance provided

    Polyspace Bug Finder

    Include Page
    Polyspace Bug Finder_V
    Polyspace Bug Finder_V

    		CERT C: Rule ERR34-CChecks for unsafe conversion from string to numeric value (rule fully covered)
    SonarQube C/C++ Plugin
    Include Page
    SonarQube C/C++ Plugin_V
    SonarQube C/C++ Plugin_V
    		S989

    Related Vulnerabilities

    Search for vulnerabilities resulting from the violation of this rule on the CERT website.

    Related Guidelines

    Key here (explains table format and definitions)

    Taxonomy

    Taxonomy item

    Relationship

    CERT C
    ++ Secure Coding Standard
    INT06-CPP. Use strtol() or a related function to convert a string token to an integer
    MITRE CWE
    Prior to 2018-01-12: CERT: Unspecified Relationship
    CWE 2.11CWE-676, Use of potentially dangerous function2017-05-18: CERT: Rule subset of CWE
    CWE 2.11CWE-7582017-06-29: CERT: Partial overlap

    CERT-CWE Mapping Notes

    Key here for mapping notes

    CWE-20

    ...

    and ERR34-C

    Intersection( ERR34-C, CWE-20) = Ø

    CERT C does not define the concept of ‘input validation’. String-to-integer conversion (ERR34-C) may qualify as input validation, but this is outside the scope of the CERT rule.

    CWE-391 and ERR34-C

    CWE-391 = Union( ERR34-C, list) where list =


    • Failure to errors outside of string-to-number conversion functions


    CWE-676 and ERR34-C


    • Independent( ENV33-C, CON33-C, STR31-C, EXP33-C, MSC30-C, ERR34-C)



    • ERR34-C implies that string-parsing functions (eg atoi() and scanf()) are dangerous.



    • CWE-676 = Union( ERR34-C, list) where list =



    • Invocation of dangerous functions besides the following:



    • atoi(), atol(), atoll(), atof(), The scanf()family


    CWE-758 and ERR34-C

    Independent( INT34-C, INT36-C, MSC37-C, FLP32-C, EXP33-C, EXP30-C, ERR34-C, ARR32-C)

    Intersection( CWE-758, ERR34-C) =


    • Undefined behavior arising from a non-representable numeric value being parsed by an ato*() or scanf() function


    CWE-758 – ERR34-C =


    • Undefined behavior arising from using a function outside of the ato*() or scanf() family


    ERR34-C – CWE-758 =


    • The ato*() or scanf() family receives input that is not a number when trying to parse one


    Bibliography

    [ISO/IEC 9899:2024]Subclause 7.24.1, "Numeric conversion functions"
    [Klein 2002]

    Bibliography

    [ISO/IEC 9899:2011]Section 7.22.1.4, "The strtol, strtoll, strtoul, and strtoull Functions," section 7.22.1.2, "The atoi, atol, and atoll Functions,"
    and section 7.21.6.7, "The sscanf Function"
    [Klein 2002] 

    ...



    ...

    Image Modified Image Modified Image Modified