Macros are frequently used in the remediation of existing code to globally replace on identifier with another, for example, when an existing API changes. While there is always some risk involved, this practice becomes particularly dangerous (some might say foolish) if a function name is replaced with a less secure function.
The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) contained a vulnerability that introduced several potential buffer overflow conditions. ISC DHCP makes use of the {{vsnprintf()}} function for writing various log file strings, which is defined in in the Open Group Base Specifications Issue 6 \[[Open Group 04|AA. C References#Open Group 04]\] as well as C99 \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\]. For systems that do not support {{vsnprintf()}}, a C include file was created that defines the {{vsnprintf()}} function to {{vsprintf()}} as shown in this non-compliant code example: |
#define vsnprintf(buf, size, fmt, list) \ vsprintf(buf, fmt, list) |
The vsprintf() function does not check bounds. Consequently, size is discarded, creating the potential for a buffer overflow when untrusted data is used.
Include an implementation of the missing function vsnprintf(), in this case with the executable, to eliminate the dependency on an external library.
#include <stdio.h> #ifndef __USE_ISOC99 #include "my_stdio.h" /* includes reimplementation of vsnprintf() */ #endif |
Replacing secure functions with less secure functions is a very risky practice, because developers can be easily fooled into trusting the function to perform a security check that is absent. This may be a concern, for example, as developers attempt to adopt more secure functions, like the ISO/IEC TR 24731-1 functions (see STR07-A. Use TR 24731 for remediation of existing string manipulation code) that might not be available on all platforms.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
PRE09-A |
high |
high |
medium |
P18 |
L1 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.6.12, "The {{vsnprintf}} function"
\[[Open Group 04|AA. C References#Open Group 04]\] [{{vsnprintf()}}|http://www.opengroup.org/onlinepubs/009695399/functions/vsnprintf.html]
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 6, "Formatted Output"
\[[VU#654390|AA. C References#VU#654390]\] |
PRE08-A. Guarantee that header filenames are unique 06. Arrays (ARR) PRE10-A. Wrap multi-statement macros in a do-while loop