Page History

...

Although it is relatively rare for a violation of this recommendation to result in a security vulnerability, it can easily result in lost or misinterpreted data.

Recommendation	Severity	Likelihood

Remediation Cost

Detectable	Repairable	Priority	Level
INT05-C	Medium	Probable

High

Yes

No

P4

P8

L3

L2

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page

	Axivion Bauhaus Suite_V
	Axivion Bauhaus Suite_V

CertC-INT05

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

MISC.NEGCHAR

Negative Character Value

Compass/ROSE

Can detect violations of this recommendation. In particular, it notes uses of the scanf() family of functions where on the type specifier is a floating-point or integer type

Fortify SCA

5.0

Helix QAC

Include Page

	Helix QAC_V
	Helix QAC_V

C5005

Can detect violations of this recommendation with the CERT C Rule Pack

LDRA tool suite

Include Page

	LDRA_V
	LDRA_V

44 S

Enhanced Enforcement

Parasoft C/C++test

9.5SECURITY-13Fully implementedPRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_vWarncall for scanf etc

Include Page

	Parasoft_V
	Parasoft_V

CERT_C-INT05-a

Avoid using unsafe string functions that do not check bounds

PC-lint Plus

Include Page

	PC-lint Plus_V
	PC-lint Plus_V

586

Fully supported

Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding Standard	VOID INT05-CPP. Do not use input functions to convert character data if they cannot handle all possible inputs
MITRE CWE	CWE-192, Integer coercion error CWE-197, Numeric truncation error

Bibliography

[Klein 2002]


[Linux 2008]	`scanf(3)`

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 97

New Version Current

Key

Automated Detection

Related Vulnerabilities

Related Guidelines

Bibliography