According to C99, if the fgets()
function fails, the contents of its parameterized array are undefined. Therefore, reset the string to a known value to avoid possible errors on subsequent string manipulation functions.
In this example, an error flag is set upon fgets()
failure. However, buf
is not reset, and will have unknown contents.
enum { BUFFERSIZE = 1024 }; char buf[BUFFERSIZE]; FILE *file; /* Initialize file */ if (fgets(buf, sizeof(buf), file) == NULL) { /* set error flag and continue */ } printf("Read in: %s\n", buf); |
After fgets
fails, buf
is set to an error message.
enum { BUFFERSIZE = 1024 }; char buf[BUFFERSIZE]; FILE *file; /* Initialize file */ if (fgets(buf, sizeof(buf), file) == NULL) { /* set error flag and continue */ strcpy(buf, "fgets failed"); } printf("Read in: %s\n", buf); |
Making assumptions about the contents of the array set by fgets
on failure could lead to undefined behavior, possibly resulting in abnormal program termination.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
FIO40-C |
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Since the nature of this issue and the solution recommended by this rule is local, simple static analysis should be effective at assuring compliance with this rule. A simple search should be able to find calls to fgets() and local analysis should be effective at finding the code that applies when a NULL is returned as well as determining if the returned string is reset.
This rule also lends itself to inclusion in a global rules set that can be shipped with a static analysis tool.
It may be possible to assure compliance with this rule with some run-time mechanism. However, it seems unlikely that dynamic analysis would be chosen over the straight forward static analysis considering the well known disadvantages of dynamic analysis (performance, hard to confirm that all cases are covered, etc.).
Manual inspection (especially if assisted by tooling to locate all calls to fgets()) could be effective and relatively efficient.
Due to the low level of this rule (all calls to fgets()), it seems unlikely that testing would be used to provide assurance of a codebase's compliance.
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.7.2, "The {{fgets}} function" |
FIO39-C. Do not read in from a stream directly following output to that stream 09. Input Output (FIO) FIO41-C. Do not call getc() or putc() with arguments that have side effects