SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 57

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 58

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Noncompliant Code Example

Wiki MarkupThe Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) contained a vulnerability that introduced several potential buffer overflow conditions [VU#654390|AA. Bibliography#VU#654390]. ISC DHCP makes use of the {{vsnprintf()}} function for writing various log file strings, which is defined in the Open Group Base Specifications Issue 6 \ [[Open Group 2004|AA. Bibliography#Open Group 04]\] as well as C99 \ [[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\]. For systems that do not support {{vsnprintf()}}, a C include file was created that defines the {{vsnprintf()}} function to {{vsprintf()}}, as shown in this noncompliant code example:

Code Block
bgColor#FFcccc
langc
#define vsnprintf(buf, size, fmt, list) \
vsprintf(buf, fmt, list)

...

MITRE CWE: CWE-684, "Failure to Provide Specified Functionality"

Bibliography

...

\[[Open Group 2004|AA. Bibliography#Open Group 04]\] [{{vsnprintf()}}|http://www.opengroup.org/onlinepubs/009695399/functions/vsnprintf.html] \[[Seacord 2005a|AA. Bibliography#Seacord 05]\] Chapter 6, "Formatted Output" \[[VU#654390|AA. Bibliography#VU#654390]\
[Seacord 2005a] Chapter 6, "Formatted Output"
[VU#654390]

...

      01. Preprocessor (PRE)      PRE10-C. Wrap multi-statement macros in a do-while loop