View Source

Common mistakes in creating format strings include

Using invalid conversion specifiers
Using a length modifier on an incorrect specifier
Mismatching the argument and conversion specifier type
Using invalid character classes

The following are C99 compliant conversion specifiers \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\]. Using any other specifier may result in [undefined behavior|BB. Definitions#undefined behavior].

d, i, o, u, x, X, f, F, e, E, g, G, a, A, c, s, p, n, %

Only some of the conversion specifiers are able to correctly take a length modifier. Using a length modifier on any specifier other than the following may result in undefined behavior.

d, i, o, u, x, X, a, A, e, E, f, F, g, G

Character class ranges must also be properly specified with a hyphen in between two printable characters. The two following lines are both properly specified. The first accepts any character from a-z, inclusive, while the second accepts anything that is not a-z, inclusive.

[a-z]
[FIO00-C. Take care when creating format strings^a-z]

Note that the range is in terms of character code values, and on an EBCDIC platform it will include some non-alphabetic codes. Consequently the isalpha() function should be used to verify the input.

Noncompliant Code Example

Mismatches between arguments and conversion specifiers may result in undefined behavior. Many compilers can diagnose type mismatches in formatted output function invocations.

const char *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %s): %d\n", error_type, error_msg);

Compliant Solution

This compliant solution ensures that the format arguments match their respective format specifiers.

const char *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %d): %s\n", error_type, error_msg);

Risk Assessment

In most cases, incorrectly specified format strings will result in abnormal program termination.

Recommendation	Severity	Likelihood	Remediation Cost	Priority	Level
FIO00-C	high	unlikely	medium	P6	L2

Automated Detection

The LDRA tool suite V 7.6.0 can detect violations of this recommendation.

GNU C allows the -Wformat compiler option that does substantial checking of formats and arguments.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.6.1, "The {{fprintf}} function"

09. Input Output (FIO) 09. Input Output (FIO)