Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not use deprecated or obsolescent functions when more secure equivalent functions are available. Deprecated functions are defined by the C Standard. Obsolete functions are typically functions for which there are more secure or portable alternatives available and are defined by this rule.

Deprecated Functions

The gets function was deprecated in Technical Corrigendum 3 of the C99 standard and eliminated from the C11 standard.

Obsolescent Functions

The following functions are obsolete and should be avoided in favor of either the portable equivalent or, if available, the more secure alternatives defined in [ISO/IEC TR 24731-1] Extensions to the C Library, — Part I: Bounds-checking interfaces, and [ISO/IEC TR 24731-2] Extensions to the C Library, — Part II: Dynamic Allocation Functions. (Several of the "Portable Equivalent" entries are specified in the POSIX standard.)

Function

Portable Equivalent

Secure Alternative

asctime

 

asctime_s

atof

strtod

 

atoi

strtol

 

atol

strtol

 

atoll

strtoll

 

bsearch

 

bsearch_s

ctime

 

ctime_s

fopen

fmemopen,open_memstream

fopen_s

fopen

open_wmemstream

 

fprintf

 

fprintf_s

freopen

 

freopen_s

fscanf

getdelim,getline

fscanf_s

fwprintf

 

fwprintf_s

fwscanf

getwdelim,getwline

fwscanf_s

getenv

 

getenv_s

gmtime

 

gmtime_s

localtime

 

localtime_s

mbsrtowcs

 

mbsrtowcs_s

mbstowcs

 

mbstowcs_s

memcpy

 

memcpy_s

memmove

 

memmove_s

printf

 

printf_s

qsort

 

qsort_s

remove

 

 

rename

 

 

rewind

fseek

 

setbuf

vsetbuf

 

snprintf

 

snprintf_s

sprintf

asprintf

sprintf_s

sscanf

 

sscanf_s

strcat

 

strcat_s

strcpy

stpcpy,strdup

strcpy_s

strerror

strerror_r

strerror_s

strncat

 

strncat_s

strncpy

stpncpy,strndup

strncpy_s

strtok

strtok_r

strtok_s

swprintf

aswprintf

swprintf_s

swscanf

 

swscanf_s

tmpfile

mkstemp

tmpfile_s

tmpfile_s

mkstemp

 

tmpnam

mkstemp

tmpnam_s

vfprintf

 

vfprintf_s

vfscanf

 

vfscanf_s

vfwprintf

 

vfwprintf_s

vfwscanf

 

vfwscanf_s

vprintf

 

vprintf_s

vscanf

 

vscanf_s

vsnprintf

 

vsnprintf_s

vsprintf

vasprintf

vsprintf_s

vsscanf

 

vsscanf_s

vswprintf

vaswprintf

vswprintf_s

vswscanf

 

vswscanf_s

vwprintf

 

vwprintf_s

vwscanf

 

vwscanf_s

wcrtomb

 

wcrtomb_s

wcscat

 

wcscat_s

wcscpy

 

wcscpy_s

wcsncat

 

wcsncat_s

wcsncpy

 

wcsncpy_s

wcsrtombs

 

wcsrtombs_s

wcstok

 

wcstok_s

wcstombs

 

wcstombs_s

wctomb

 

wctomb_s

wmemcpy

 

wmemcpy_s

wmemmove

 

wmemmove_r

wprintf

 

wprintf_s

wscanf

 

wscanf_s

Noncompliant Code Example

In this noncompliant code example, strcat() and strcpy() are used.

Code Block
bgColor#FFcccc
langc
enum { BUFFERSIZE=256 };

void complain(const char *msg) {
  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFFERSIZE];

  strcpy(buf, prefix);
  strcat(buf, msg);
  strcat(buf, suffix);
  fputs(buf, stderr);
}

Compliant Solution

In this compliant solution, strcat() and strcpy() are replaced by strcat_s() and strcpy_s().

Code Block
bgColor#ccccFF
langc
enum { BUFFERSIZE=256 };

void complain(const char *msg) {
  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFFERSIZE];

  strcpy_s(buf, BUFFERSIZE, prefix);
  strcat_s(buf, BUFFERSIZE, msg);
  strcat_s(buf, BUFFERSIZE, suffix);
  fputs(buf, stderr);
}

Risk Assessment

The deprecated and obsolescent enumerated in this guideline are commonly associated with software vulnerabilities.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC34-C

high

probable

medium

P12

L1

Automated Detection

Unknown.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

ISO/IEC 9945:2003

ISO/IEC 9899:1999 Section 7.21, "String handling <string.h>"

ISO/IEC 23360-1:2006

ISO/IEC TR 24731-1:2007

ISO/IEC PDTR 24731-2

MISRA Rule 20.4

Bibliography

[Burch 2006]
[CERT 2006c]
[Seacord 2005a] Chapter 2, "Strings"

Using deprecated or obsolescent functions shall be diagnosed because there exist equivalent functions that are more secure.

Deprecated functions are defined by the C99 standard and Technical Corrigenda. Obsolescent functions are defined by this guideline.

When an analyzer determines that an out-of-bounds store cannot occur in a specific invocation of a function, the invocation of that function is permitted by this guideline, and the analyzer is not required to produce any diagnostic.

Deprecated Functions

The gets function was deprecated by Technical Corrigendum 3 to C99 and eliminated from C1X.

Obsolescent Functions

Functions in the first column of the following table are hereby defined to be obsolescent functions. To remediate invocations of obsolescent functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative non-obsolescent functions.

Obsolescent
Function

Recommended
Alternative

Rationale

asctime

asctime_s

Non-reentrant.

atof

strtod

No error detection.

atoi

strtol

No error detection.

atol

strtol

No error detection.

atoll

strtoll

No error detection.

ctime

ctime_s

Non-reentrant.

fopen

fopen_s

No exclusive access to file.

freopen

freopen_s

No exclusive access to file.

rewind

fseek

No error detection.

setbuf

setvbuf

No error detection.

The atof, atoi, atol, and atoll functions are obsolescent because the strod, strtof, strtol, strtold, strtoll, strotul, and strtoull functions can emulate their usage and have more robust error handling capabilities. See guideline INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs [CERT C Secure Coding Standard 2010].

The fopen and freopen functions are obsolescent because the fopen_s and freopen_s functions can emulate their usage and improve security by protecting the file from unauthorized access by setting its file protection and opening the file with exclusive access [ISO/IEC WG14 N1173].

The setbuf function is obsolescent because setbuf does not return a value and can be emulated using setvbuf. See guideline FIO12-C. Prefer setvbuf() to setbuf() [CERT C Secure Coding Standard 2010].

The rewind function is obsolescent because rewind does not return a value and can be emulated using fseek. See guideline FIO07-C. Prefer fseek() to rewind() [CERT C Secure Coding Standard 2010].

The asctime and ctime functions are obsolescent because they use non-reentrant static buffers and can be emulated using asctime_s and ctime_s.

Unchecked Obsolescent Functions

The following are hereby defined to be unchecked obsolescent functions:

 

bsearch

 

fprintf

fscanf

fwprintf

fwscanf

getenv

gmtime

localtime

mbsrtowcs

mbstowcs

memcpy

memmove

printf

qsort

setbuf

snprintf

sprintf

sscanf

strcat

strcpy

strerror

strncat

strncpy

strtok

swprintf

swscanf

vfprintf

vfscanf

vfwprintf

vfwscanf

vprintf

vscanf

vsnprintf

vsprintf

vsscanf

vswprintf

vswscanf

vwprintf

vwscanf

wcrtomb

wcscat

wcscpy

wcsncat

wcsncpy

wcsrtombs

wcstok

wcstombs

wctomb

wmemcpy

wmemmove

wprintf

wscanf

 

 

To remediate invocations of unchecked obsolescent functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative non-obsolescent functions from ISO/IEC TR 24731 (Part 1)

abort_handler_s

 

bsearch_s

 

fprintf_s

freopen_s

fscanf_s

fwprintf_s

fwscanf_s

getenv_s

gets_s

gmtime_s

ignore_handler_s

localtime_s

mbsrtowcs_s

mbstowcs_s

memcpy_s

memmove_s

printf_s

qsort_s

scanf_s

set_constraint_handler_s

snprintf_s

snwprintf_s

sprintf_s

sscanf_s

strcat_s

strcpy_s

strerror_s

strerrorlen_s

strncat_s

strncpy_s

strnlen_s

strtok_s

swprintf_s

swscanf_s

vfprintf_s

vfscanf_s

vfwprintf_s

vfwscanf_s

vprintf_s

vscanf_s

vsnprintf_s

vsnwprintf_s

vsprintf_s

vsscanf_s

vswprintf_s

vswscanf_s

vwprintf_s

vwscanf_s

wcrtomb_s

wcrtoms_s

wcscat_s

wcscpy_s

wcsncat_s

wcsncpy_s

wcsnlen_s

wcsrtombs_s

wcstok_s

wcstombs_s

wctomb_s

wmemcpy_s

wmemmove_s

wprintf_s

wscanf_s

 

 

 

 

 

or alternative non-obsolescent functions from ISO/IEC DTR 24731-2 (Part 2)

asprintf

aswprintf

fmemopen

fscanf

fwscanf

getdelim

getline

getwdelim

getwline

open_memstream

open_wmemstream

strdup

strndup

 

Noncompliant Code Example

In this noncompliant code example, the obsolescent functions strcat and strcpy are used.

Code Block
bgColor#FFcccc
void complain(const char *msg) {
  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFSIZE];

  strcpy(buf, prefix);
  strcat(buf, msg);
  strcat(buf, suffix);
  fputs(buf, stderr);
}
 

Noncompliant Code Example

In this noncompliant code example, the obsolescent function setbuf is used.

Code Block
bgColor#FFcccc
FILE *file;
/* Setup file */
setbuf(file, NULL);
/* ... */
 

Noncompliant Code Example

In this noncompliant code example, tmpnam is used.

Code Block
bgColor#FFcccc
char file_name[L_tmpnam];
FILE *fp;

if (!tmpnam(file_name)) {
  /* Handle error */
}

/* A TOCTOU race condition exists here */

fp = fopen(file_name, "wb+");
if (fp == NULL) {
   /* Handle error */
}
 

Noncompliant Code Example

In this noncompliant code example, tmpfile is used.

Code Block
bgColor#FFcccc
FILE *fp = tmpfile();
if (fp == NULL) {
  /* Handle error */
}

Related Guidelines

ISO/IEC JTC1/SC22/WG11 Rationale for TR 24731 Extensions to the C Library Part I: Bounds-checking interfaces

ISO/IEC 9899:1999 Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files," Section 7.19.5.5, "The setbuf function"; 7.19.9.2, "The fseek function"; 7.19.9.5 "The rewind function"; and 7.21, "String handling <string.h>," Section 7.20.1.4, "The strtol, strtoll, strtoul, and strtoull functions," and Section 7.19.6, "Formatted input/output functions," Section 7.21.5.8, "The strtok function"

ISO/IEC TR 24772 "TRJ Use of Libraries"

ISO/IEC TR 24731-1:2007

MITRE CWE: CWE-73 "External Control of File Name or Path, "CWE-367, "Time-of-check Time-of-use Race Condition," CWE-676, "Use of Potentially Dangerous Function," CWE-192, "Integer Coercion Error," CWE-197, "Numeric Truncation Error," CWE-464, "Addition of Data Structure Sentinel," CWE-676, "Use of Potentially Dangerous Function," and CWE-20, "Insufficient Input Validation"

Bibliography

[Apple Secure Coding Guide] "Avoiding Race Conditions and Insecure File Operations"
[CERT C Secure Coding Standard 2010]"MSC34-C. Do not use deprecated or obsolete functions", "FIO01-C. Be careful using functions that use file names for identification", "FIO07-C. Prefer fseek() to rewind()", "FIO12-C. Prefer setvbuf() to setbuf()", "INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs", "INT06-C. Use strtol() or a related function to convert a string token to an integer", "STR06-C. Do not assume that strtok() leaves the parse string unchanged", "STR07-C. Use TR 24731 for remediation of existing string manipulation code"
[Drepper 2006] Section 2.2.1 "Identification When Opening"
[Klein 2002]
[Linux 2007] strtok(3)
[Open Group 2004] "The open function"
[Seacord 2005a] Chapter 2, "Strings," and Chapter 7, "File I/O"
[Seacord 2005b]


      49. Miscellaneous (MSC)      MSC35-C. Do not include any executable statements inside a switch statement before the first case label