...
Note that the calls to fprintf() and printf() are C99 standard functions and not managed string functions.
...
Risk Assessment
String handling functions defined in C99 Section 7.21 and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Managed strings, when used properly, can eliminate many of these errors--particularly in new development.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level | |
|---|---|---|---|---|---|---|
STR01-A | ||||||
Component | Value | |||||
Severity | 3 (high) | Likelihood | 2 (probable) Remediation cost | 1 (high) | P6 | L2 |
References
- Burch 06
- CERT 06
- ISO/IEC 9899-1999 Section 7.21 String handling <string.h>
- Seacord 05a Chapter 2 Strings