SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 64

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 65

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • SPACE—the space (" ") character
  • N/E—no effect
  • NTBS—char* argument pointing to a null-terminated byte string
  • NTWS—wchar_t* argument pointing to a null-terminated wide character string
  • XSI—ISO/IEC 9945-2003 XSI extension

Noncompliant Code Example

Mismatches between arguments and conversion specifications may result in undefined behavior.  Many compilers can diagnose type mismatches in formatted output function invocations.  In the following noncompliant code example, the error_type argument to printf() is incorrectly matched with the %s specifier (should be %d), and the error_msg argument is incorrectly matched with the %d specifier (should be %s).  One possible result of this invocation is that printf() will interpret the error_type argument as a pointer, and try to read a string from the address that error_type contains (likely this will result in an access violation):

Code Block
bgColor#ffcccc
langc
const char *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %s): %d\n", error_type, error_msg);

Compliant Solution

This compliant solution ensures that the format arguments match their respective format specifications:

Code Block
bgColor#ccccff
langc
const char *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %d): %s\n", error_type, error_msg);

Noncompliant Code Example

The width and precision arguments to printf() format directives must be of type int. Subclause 7.21.6.1 of the C Standard [ISO/IEC 9899:2011] states:

...

Code Block
bgColor#ffcccc
langc
int print_int(int i, size_t width, size_t prec) {
  int n;

  n = printf("%*.*d", width, prec, i);

  return n;
}

Compliant Solution

In this compliant solution, the field width and precision arguments to printf() format directives are of type int:

Code Block
bgColor#ccccff
langc
int print_int(int i, int width, int prec) {
  int n;

  n = printf("%*.*d", width, prec, i);

  return n;
}

Risk Assessment

In most cases, incorrectly specified format strings will result in abnormal program termination.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO00-C

High

Unlikely

Medium

P6

L2

Automated Detection

Tool

Version

Checker

Description

GCC

Include Page
GCC_V
GCC_V

 

Can detect violations of this recommendation when the -Wformat flag is used

Klocwork

Include Page
Klocwork_V
Klocwork_V

SV.FMT_STR

 

LDRA tool suite

Include Page
LDRA_V
LDRA_V

486 S
589 S

Fully implemented

PRQA QA-C
Include Page
PRQA_V
PRQA_V

0179 (U)
0180 (C99)
0184 (U)
0185 (U)
0190 (U)
0191 (U)
0192 (U)
0193 (U)
0194 (U)
0195 (U)
0196 (U)
0197 (U)
0198 (U)
0199 (U)
0200 (U)
0201 (U)
0202 (I)
0206 (U)

Partially implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding StandardFIO00-CPP. Take care when creating format strings
ISO/IEC TS 17961Using invalid format strings [invfmtstr]
MITRE CWECWE-686, Function call with incorrect argument type

Bibliography

[ISO/IEC 9899:2011]Subclause 7.21.6.1, "The fprintf Function"

...