If the C99 {{fgets()}} function fails, the contents of the array it was writing to are [indeterminate| BB. Definitions#indeterminate value] \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] (see also [undefined behavior 161| CC. Undefined Behavior#ub_161] of Annex J). Consequently, it is necessary to reset the string to a known value to avoid possible errors on subsequent string manipulation functions. |
The fgetws() function is similarly affected.
In this noncompliant code example, an error flag is set upon fgets() failure.
char buf[BUFSIZ];
FILE *file;
/* Initialize file */
if (fgets(buf, sizeof(buf), file) == NULL) {
/* set error flag and continue */
}
|
However, buf is not reset and has unknown contents.
In this compliant solution, buf is set to an empty string if fgets() fails. The equivalent solution for fgetws() would set buf to an empty wide string.
char buf[BUFSIZ];
FILE *file;
/* Initialize file */
if (fgets(buf, sizeof(buf), file) == NULL) {
/* set error flag and continue */
*buf = '\0';
}
|
FIO40-EX1: If the string goes out of scope immediately following the call to fgets() or fgetws(), or is not referenced in the case of a failure, it need not be reset.
Making invalid assumptions about the contents of an array modified by fgets() or fgetws() can result in undefined behavior and abnormal program termination.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO40-C |
low |
probable |
medium |
P4 |
L3 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
This rule appears in the C++ Secure Coding Standard as FIO40-CPP. Reset strings on fgets() failure.
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.7.2, "The {{fgets}} function" and Section 7.24.3.2, "the {{fgetws}} function" |
09. Input Output (FIO) FIO41-C. Do not call getc() or putc() with stream arguments that have side effects