You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 77 Next »

Macros are frequently used in the remediation of existing code to globally replace one identifier with another, for example, when an existing API changes. Although some risk is always involved, this practice becomes particularly dangerous if a function name is replaced with the function name of a deprecated or obsolescent function. Deprecated functions are defined by the C Standard and Technical Corrigenda. Obsolescent functions are defined by MSC34-C. Do not use deprecated or obsolete functions.

While compliance with rule MSC34-C. Do not use deprecated or obsolete functions guarantees compliance with this recommendation, the emphasis of this recommendation is the extremely risky and deceptive practice of replacing functions with less secure alternatives.

Noncompliant Code Example

The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) contained a vulnerability that introduced several potential buffer overflow conditions [VU#654390]. ISC DHCP makes use of the vsnprintf() function for writing various log file strings, which is defined in the Open Group Base Specifications Issue 6 [Open Group 2004] as well as in the C Standard. For systems that do not support vsnprintf(), a C include file was created that defines the vsnprintf() function to vsprintf(), as shown in this noncompliant code example:

#define vsnprintf(buf, size, fmt, list) \
vsprintf(buf, fmt, list)

The vsprintf() function does not check bounds. Consequently, size is discarded, creating the potential for a buffer overflow when untrusted data is used.

Compliant Solution

The solution is to include an implementation of the missing function vsnprintf() to eliminate the dependency on external library functions when they are not available. This compliant solution assumes that __USE_ISOC99 is not defined on systems that fail to provide a vsnprintf() implementation.

#include <stdio.h>
#ifndef __USE_ISOC99
  /* reimplements vsnprintf() */
  #include "my_stdio.h"
#endif

Risk Assessment

Replacing secure functions with less secure functions is a very risky practice because developers can be easily fooled into trusting the function to perform a security check that is absent. This may be a concern, for example, as developers attempt to adopt more secure functions, like the ISO/IEC TR 24731-1 functions that might not be available on all platforms. (See STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code.)

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

PRE09-C

high

likely

medium

P18

L1

Automated Detection

ToolVersionCheckerDescription
PRQA QA-C
Unable to render {include} The included page could not be found.
Secondary analysisFully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

 Bibliography

[Open Group 2004]vsnprintf()
[Seacord 2013]Chapter 6, "Formatted Output"
[VU#654390] 

 


  • No labels