...
This compliant example uses the Linux scanf() implementation's built-in error handling to validate input. On Linux platforms, scanf() sets errno to ERANGE if the result of integer conversion cannot be represented within the size specified by the format string [Linux 2008]. Note that this solution is a platform - dependent solution. Therefore, so it should be used only where portability is not a concern.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
Fortify SCA | V. 5.0 |
| Can detect violations of this recommendation with the CERT C Rule Pack. | ||||||
Compass/ROSE |
|
| Can detect violations of this recommendation. In particular, it notes uses of the | ||||||
| PRQA QA-C |
| Warncall for scanf etc | Fully implemented. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
| INT05-CPP. Do not use input functions to convert character data if they cannot handle all possible inputs | |
|---|---|
| MITRE CWE | CWE-192, Integer coercion error CWE-197, Numeric truncation error |
Bibliography
...
| ] | Section 7.22.1.4, "The strtol, strtoll, strtoul, and strtoull |
|---|
...
| Functions," and |
|---|
...
MITRE CWE: CWE-192, "Integer coercion error"
MITRE CWE: CWE-197, "Numeric truncation error"
Bibliography
| section 7.21.6, "Formatted |
|---|
...
| Input/Output Functions" |
|---|
...