SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Alex Volkovitsky

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Macros are frequently used in the remediation of existing code to globally replace on one identifier with another, for example, when an existing API changes. While there  Although some risk is always some risk involved, this practice becomes particularly dangerous (some might say foolish) if a function name is replaced with the function name of a less secure function.

Non-Compliant Code Example

Wiki Markup
The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) contained a vulnerability that introduced several potential buffer overflow conditions. ISC DHCP makes use of the {{vsnprintf()}} function for writing various log file strings, which is defined in in the Open Group Base Specifications Issue 6 \[[Open Group 04|AA. C References#Open Group 04]\] as well as C99 \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\]. For systems that do not support {{vsnprintf()}}, a C include file was created that defines the {{vsnprintf()}} function to {{vsprintf()}} as shown in this non-compliant code example:

deprecated or obsolescent function. Deprecated functions are defined by the C Standard and Technical Corrigenda. Obsolescent functions are defined by MSC24-C. Do not use deprecated or obsolescent functions.

Although compliance with rule MSC24-C. Do not use deprecated or obsolescent functions guarantees compliance with this recommendation, the emphasis of this recommendation is the extremely risky and deceptive practice of replacing functions with less secure alternatives.

Noncompliant Code Example

The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) contained a vulnerability that introduced several potential buffer overflow conditions [VU#654390]. ISC DHCP makes use of the vsnprintf() function for writing various log file strings; vsnprintf() is defined in the Portable Operating System Interface (POSIX®), Base Specifications, Issue 7 [IEEE Std 1003.1:2013] as well as in the C Standard. For systems that do not support vsnprintf(), a C include file was created that defines the vsnprintf() function to vsprintf(), as shown in this noncompliant code example:

Code Block
bgColor#FFcccc
langc
Code Block
bgColor#ffcccc

#define vsnprintf(buf, size, fmt, list) \
vsprintf(buf, fmt, list)

The vsprintf() function does not check bounds. Consequently, size is discarded, creating the potential for a buffer overflow when untrusted data is used.

Compliant Solution

Include The solution is to include an implementation of the missing function vsnprintf(), in this case with the executable, to eliminate the dependency on an external library functions when they are not available. This compliant solution assumes that __USE_ISOC11 is not defined on systems that fail to provide a vsnprintf() implementation:

Code Block
bgColor#ccccFF
lang#ccccffc

#include <stdio.h>
#ifndef __USE_ISOC99ISOC11
  #include "my_stdio.h" /* includesReimplements reimplementation of vsnprintf() */
  #include "my_stdio.h"
#endif

Risk Assessment

Replacing secure functions with less secure functions is a very risky practice , because developers can be easily fooled into trusting the function to perform a security check that is absent. This may be a concern, for example, as developers attempt to adopt more secure functions, like the ISO/IEC TR 24731-1 functions (see STR07-A. Use TR 24731 for remediation of existing string manipulation code) that might not be available on all platforms.such as the C11 Annex K functions, that might not be available on all platforms. (See STR07-C. Use the bounds-checking interfaces for string manipulation.)

Recommendation

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

PRE09-

A

C

high

High

high

Likely

medium

Medium

P18

L1

Automated Detection

ToolVersionCheckerDescription
Astrée
Include Page
Astrée_V
Astrée_V

Supported, but no explicit checker
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-PRE09
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5003
Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. PRE09-C


Checks for:

  • Use of dangerous standard function
  • Insufficient destination buffer size

Rec. fully covered.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.6.12, "The {{vsnprintf}} function"
\[[Open Group 04|AA. C References#Open Group 04]\] [{{vsnprintf()}}|http://www.opengroup.org/onlinepubs/009695399/functions/vsnprintf.html]
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 6, "Formatted Output"
\[[VU#654390|AA. C References#VU#654390]\]

Related Guidelines

SEI CERT C++ Coding StandardVOID PRE09-CPP. Do not replace secure functions with less secure functions
ISO/IEC TR 24772:2013Executing or Loading Untrusted Code [XYS]
MITRE CWECWE-684, Failure to provide specified functionality

 Bibliography

[IEEE Std 1003.1:2013]XSH, System Interfaces, vsnprintf, vsprintf
[Seacord 2013]Chapter 6, "Formatted Output"
[VU#654390]


...

Image Added Image Added Image AddedPRE08-A. Guarantee that header filenames are unique      06. Arrays (ARR)       PRE10-A. Wrap multi-statement macros in a do-while loop