...
| Wiki Markup |
|---|
\[[Burch 2006|AA. Bibliography#Burch06]\] \[[CERT 2006c|AA. Bibliography#CERT 06c]\] \[[Seacord 2005a|AA. Bibliography#Seacord 05a]\] Chapter 2, "Strings" |
Using deprecated or obsolescent functions shall be diagnosed because there exist equivalent functions that are more secure.
Deprecated functions are defined by the C99 standard and Technical Corrigenda. Obsolescent functions are defined by this guideline.
When an analyzer determines that an out-of-bounds store cannot occur in a specific invocation of a function, the invocation of that function is permitted by this guideline, and the analyzer is not required to produce any diagnostic.
Deprecated Functions
The gets function was deprecated by Technical Corrigendum 3 to C99 and eliminated from C1X.
Obsolescent Functions
Functions in the first column of the following table are hereby defined to be obsolescent functions. To remediate invocations of obsolescent functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative non-obsolescent functions.
Obsolescent | Recommended | Rationale |
|---|---|---|
| | Non-reentrant. |
| | No error detection. |
| | No error detection. |
| | No error detection. |
| | No error detection. |
| | Non-reentrant. |
| | No exclusive access to file. |
| | No exclusive access to file. |
| | No error detection. |
| | No error detection. |
| Wiki Markup |
|---|
The {{atof, atoi, atol}}, and {{atoll}} functions are obsolescent because the {{strod, strtof, strtol, strtold, strtoll, strotul}}, and {{strtoull}} functions can emulate their usage and have more robust error handling capabilities. See guideline [INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs|seccode:INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs] \[[CERT C Secure Coding Standard 2010|Bibliography#CERT C Secure Coding Standard 10]\]. |
| Wiki Markup |
|---|
The {{fopen}} and {{freopen}} functions are obsolescent because the {{fopen_s}} and {{freopen_s}} functions can emulate their usage and improve security by protecting the file from unauthorized access by setting its file protection and opening the file with exclusive access \[[ISO/IEC WG14 N1173|Bibliography#ISO/IEC WG14 N1173]\]. |
| Wiki Markup |
|---|
The {{setbuf}} function is obsolescent because {{setbuf}} does not return a value and can be emulated using {{setvbuf}}. See guideline [FIO12-C. Prefer setvbuf() to setbuf()|seccode:FIO12-C. Prefer setvbuf() to setbuf()] \[[CERT C Secure Coding Standard 2010|Bibliography#CERT C Secure Coding Standard 10]\]. |
| Wiki Markup |
|---|
The {{rewind}} function is obsolescent because {{rewind}} does not return a value and can be emulated using {{fseek}}. See guideline [FIO07-C. Prefer fseek() to rewind()|seccode:FIO07-C. Prefer fseek() to rewind()] \[[CERT C Secure Coding Standard 2010|Bibliography#CERT C Secure Coding Standard 10]\]. |
The asctime and ctime functions are obsolescent because they use non-reentrant static buffers and can be emulated using asctime_s and ctime_s.
Unchecked Obsolescent Functions
The following are hereby defined to be unchecked obsolescent functions:
| |
| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | |
|
|
To remediate invocations of unchecked obsolescent functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative non-obsolescent functions from ISO/IEC TR 24731 (Part 1)
|
| |
| | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| |
|
|
|
|
|
or alternative non-obsolescent functions from ISO/IEC DTR 24731-2 (Part 2)
| | | | | | |
| | | | | |
|
Noncompliant Code Example
In this noncompliant code example, the obsolescent functions strcat and strcpy are used.
| Code Block | ||
|---|---|---|
| ||
void complain(const char *msg) {
static const char prefix[] = "Error: ";
static const char suffix[] = "\n";
char buf[BUFSIZE];
strcpy(buf, prefix);
strcat(buf, msg);
strcat(buf, suffix);
fputs(buf, stderr);
}
|
Noncompliant Code Example
In this noncompliant code example, the obsolescent function setbuf is used.
| Code Block | ||
|---|---|---|
| ||
FILE *file;
/* Setup file */
setbuf(file, NULL);
/* ... */
|
Noncompliant Code Example
In this noncompliant code example, tmpnam is used.
| Code Block | ||
|---|---|---|
| ||
char file_name[L_tmpnam];
FILE *fp;
if (!tmpnam(file_name)) {
/* Handle error */
}
/* A TOCTOU race condition exists here */
fp = fopen(file_name, "wb+");
if (fp == NULL) {
/* Handle error */
}
|
Noncompliant Code Example
In this noncompliant code example, tmpfile is used.
| Code Block | ||
|---|---|---|
| ||
FILE *fp = tmpfile();
if (fp == NULL) {
/* Handle error */
}
|
Related Guidelines
ISO/IEC JTC1/SC22/WG11 Rationale for TR 24731 Extensions to the C Library Part I: Bounds-checking interfaces
ISO/IEC 9899:1999 Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files," Section 7.19.5.5, "The setbuf function"; 7.19.9.2, "The fseek function"; 7.19.9.5 "The rewind function"; and 7.21, "String handling <string.h>," Section 7.20.1.4, "The strtol, strtoll, strtoul, and strtoull functions," and Section 7.19.6, "Formatted input/output functions," Section 7.21.5.8, "The strtok function"
ISO/IEC TR 24772 "TRJ Use of Libraries"
MITRE CWE: CWE-73 "External Control of File Name or Path, "CWE-367, "Time-of-check Time-of-use Race Condition," CWE-676, "Use of Potentially Dangerous Function," CWE-192, "Integer Coercion Error," CWE-197, "Numeric Truncation Error," CWE-464, "Addition of Data Structure Sentinel," CWE-676, "Use of Potentially Dangerous Function," and CWE-20, "Insufficient Input Validation"
Bibliography
| Wiki Markup |
|---|
\[[Apple Secure Coding Guide|Bibliography#Apple Secure Coding Guide]\] "Avoiding Race Conditions and Insecure File Operations"
\[[CERT C Secure Coding Standard 2010|Bibliography#CERT C Secure Coding Standard 10]\]"[MSC34-C. Do not use deprecated or obsolescent functions|seccode:MSC34-C. Do not use deprecated or obsolescent functions]", "[FIO01-C. Be careful using functions that use file names for identification|seccode:FIO01-C. Be careful using functions that use file names for identification]", "[FIO07-C. Prefer fseek() to rewind()|seccode:FIO07-C. Prefer fseek() to rewind()]", "[FIO12-C. Prefer setvbuf() to setbuf()|seccode:FIO12-C. Prefer setvbuf() to setbuf()]", "[INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs|seccode:INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs]", "[INT06-C. Use strtol() or a related function to convert a string token to an integer|seccode:INT06-C. Use strtol() or a related function to convert a string token to an integer]", "[STR06-C. Do not assume that strtok() leaves the parse string unchanged|seccode:STR06-C. Do not assume that strtok() leaves the parse string unchanged]", "[STR07-C. Use TR 24731 for remediation of existing string manipulation code|seccode:STR07-C. Use TR 24731 for remediation of existing string manipulation code]"
\[[Drepper 2006|Bibliography#Drepper 06]\] Section 2.2.1 "Identification When Opening"
\[[Klein 2002|Bibliography#Klein 02]\]
\[[Linux 2007|Bibliography#Linux 07]\] {{strtok}}(3)
\[[Open Group 2004|Bibliography#Open Group 04]\] "The {{open}} function"
\[[Seacord 2005a|Bibliography#Seacord 05a]\] Chapter 2, "Strings," and Chapter 7, "File I/O"
\[[Seacord 2005b|Bibliography#Seacord 05b]\] |
...
49. Miscellaneous (MSC) MSC35-C. Do not include any executable statements inside a switch statement before the first case label