Do not use functions that input characters and convert them to integers if the functions cannot handle all possible inputs. For example, formatted input functions such as scanf(), fscanf(), vscanf(), and vfscanf() can be used to read string data from stdin or (in the cases of fscanf() and vfscanf()) other input streams. These functions work fine for valid integer values but lack robust error handling for invalid values.

Alternatively, input character data as a null-terminated byte string and covert to an integer value using {{strtol()}} or a related function \[[INT06-A. Use strtol() or a related function to convert a string token to an integer]\].

Non-Compliant Code Example

This non-compliant code example uses the scanf() function to read a string from stdin and convert it to a long. The scanf() and fscanf() functions have undefined behavior if the value of the result of this operation cannot be represented as an integer.

long sl;

scanf("%ld", &sl);

Compliant Solution

This compliant example uses fgets() to input a string and strtol() to convert the string to an integer. Error checking is provided to make sure that the value is a valid integer in the range of long.

char buff[25];
char *end_ptr;
long sl;

if (fgets(buff, sizeof(buff), stdin) == NULL) {
  puts("EOF or read error\n");
} else {
  errno = 0;

  sl = strtol(buff, &end_ptr, 10);

  if (ERANGE == errno) {
    puts("number out of range\n");
  }
  else if (end_ptr == buff) {
    puts("not valid numeric input\n");
  }
  else if ('\n' != *end_ptr && '\0' != *end_ptr) {
    puts("extra characters on input line\n");
  }
}

Note that this solution treats any trailing characters, including white space characters, as an error condition.

Risk Assessment

While it is relatively rare for a violation of this rule to result in a security vulnerability, it could more easily result in loss or misinterpreted data.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT05-A

2 (medium)

2 (probable)

1 (high)

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[Klein 02|AA. C References#Klein 02]\]
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.1.4, "The strtol, strtoll, strtoul, and strtoull functions," and Section 7.19.6, "Formatted input/output functions"

INT04-A. Enforce limits on integer values originating from untrusted sources      04. Integers (INT)       INT06-A. Use strtol() or a related function to convert a string token to an integer