SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 29

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 30

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not use deprecated or Obsolete obsolete functions when more secure equivalent functions are available. Deprecated functions are defined by the C Standard. Obsolete functions are typically functions for which there are more secure or portable alternatives available and are defined by this rule.

...

The gets function was deprecated by Technical Corrigendum 3 to C99 and eliminated from C1XC11.

Obsolete Functions

Functions in the first column of the following table are hereby defined to be Obsolete obsolete functions. To remediate invocations of Obsolete obsolete functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative non-Obsolete nonobsolete functions.

Obsolete
Function

Recommended
Alternative

Rationale

asctime

asctime_s

Non-reentrant.

atof

strtod

No error detection.

atoi

strtol

No error detection.

atol

strtol

No error detection.

atoll

strtoll

No error detection.

ctime

ctime_s

Non-reentrant.

fopen

fopen_s

No exclusive access to file.

freopen

freopen_s

No exclusive access to file.

rewind

fseek

No error detection.

setbuf

setvbuf

No error detection.

The atof, atoi, atol, and atoll functions are Obsolete obsolete because the strod, strtof, strtol, strtold, strtoll, strotul, and strtoull functions can emulate their usage and have more robust error-handling capabilities. See INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs.

The fopen and freopen functions are Obsolete obsolete because the fopen_s and freopen_s functions can emulate their usage and improve security by protecting the file from unauthorized access by setting its file protection and opening the file with exclusive access [ISO/IEC WG14 N1173].

The setbuf function is Obsolete obsolete because setbuf does not return a value and can be emulated using setvbuf. See FIO12-C. Prefer setvbuf() to setbuf().

The rewind function is Obsolete obsolete because rewind does not return a value and can be emulated using fseek. See FIO07-C. Prefer fseek() to rewind().

The asctime and ctime functions are Obsolete obsolete because they use non-reentrant static buffers and can be emulated using asctime_s and ctime_s.

...

The following are hereby defined to be unchecked Obsolete obsolete functions:

 

bsearch

 

fprintf

fscanf

fwprintf

fwscanf

getenv

gmtime

localtime

mbsrtowcs

mbstowcs

memcpy

memmove

printf

qsort

setbuf

snprintf

sprintf

sscanf

strcat

strcpy

strerror

strncat

strncpy

strtok

swprintf

swscanf

vfprintf

vfscanf

vfwprintf

vfwscanf

vprintf

vscanf

vsnprintf

vsprintf

vsscanf

vswprintf

vswscanf

vwprintf

vwscanf

wcrtomb

wcscat

wcscpy

wcsncat

wcsncpy

wcsrtombs

wcstok

wcstombs

wctomb

wmemcpy

wmemmove

wprintf

wscanf

 

 

To remediate invocations of unchecked Obsolete obsolete functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative non-Obsolete nonobsolete functions from ISO/IEC TR 24731 (Part I):

abort_handler_s

 

bsearch_s

 

fprintf_s

freopen_s

fscanf_s

fwprintf_s

fwscanf_s

getenv_s

gets_s

gmtime_s

ignore_handler_s

localtime_s

mbsrtowcs_s

mbstowcs_s

memcpy_s

memmove_s

printf_s

qsort_s

scanf_s

set_constraint_handler_s

snprintf_s

snwprintf_s

sprintf_s

sscanf_s

strcat_s

strcpy_s

strerror_s

strerrorlen_s

strncat_s

strncpy_s

strnlen_s

strtok_s

swprintf_s

swscanf_s

vfprintf_s

vfscanf_s

vfwprintf_s

vfwscanf_s

vprintf_s

vscanf_s

vsnprintf_s

vsnwprintf_s

vsprintf_s

vsscanf_s

vswprintf_s

vswscanf_s

vwprintf_s

vwscanf_s

wcrtomb_s

wcrtoms_s

wcscat_s

wcscpy_s

wcsncat_s

wcsncpy_s

wcsnlen_s

wcsrtombs_s

wcstok_s

wcstombs_s

wctomb_s

wmemcpy_s

wmemmove_s

wprintf_s

wscanf_s

 

 

 

 

 

or alternative non-Obsolete nonobsolete functions from ISO/IEC TR 24731-2:2010 (Part II):

...

In this noncompliant code example, the Obsolete obsolete functions strcat and strcpy are used.

...

Code Block
bgColor#ccccFF
langc
enum { BUFFERSIZE=256 };

void complain(const char *msg) {
  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFFERSIZE];

  strcpy_s(buf, BUFFERSIZE, prefix);
  strcat_s(buf, BUFFERSIZE, msg);
  strcat_s(buf, BUFFERSIZE, suffix);
  fputs(buf, stderr);
}

 

Noncompliant Code Example

In this noncompliant code example, the Obsolete obsolete function setbuf is used.

Code Block
bgColor#FFcccc
FILE *file;
/* Setup file */
setbuf(file, NULL);
/* ... */

...

Code Block
bgColor#ccccFF
langc
 

 

Noncompliant Code Example

In this noncompliant code example, tmpnam is used.

...

Code Block
bgColor#ccccFF
langc
 

 

Noncompliant Code Example

In this noncompliant code example, tmpfile is used.

...

MSC34-EX1: If an out-of-bounds store cannot occur in a specific invocation of a function, the invocation of that function is permitted by this rule. The rationale for this exception is that the simple use of such a function in a program does not mean that the program is incorrect.  A requirement to eliminate the use of such a function requires that the programmer replace calls to the deprecated or obsolete function with  calls to the alternative functions.  Unfortunately, the process of modifying existing code frequently introduces defects and vulnerabilities and is therefore not recommended.  New code should be developed in conformance to this guideline, however.

Risk Assessment

The deprecated and Obsolete obsolete functions enumerated in this guideline are commonly associated with software vulnerabilities.

...

Related Guidelines

ISO/IEC 9945:2003

ISO/IEC 9899:1999 Section 2011 Section 7.1921.3, "Files," and Section 7.1921.4, "Operations on Filesfiles," Section 7.1921.5.5, "The setbuf function"; ," Section 7.21.6, "Formatted input/output functions," 7.1921.9.2, "The fseek function"; 7.1921.9.5, "The rewind function"; and 7.21," String handling <string.h>," Section 7.2022.1.4, "The strtol, strtoll, strtoul, and strtoull functions," and Section 7.19.624, "Formatted input/output functionsString handling <string.h>," and Section 7.2124.5.8, "The strtok function"

...

ISO/IEC TR 24772 "TRJ Use of Librarieslibraries"

ISO/IEC PDTR 24731-2

MISRA Rule 20.4

MITRE CWE: CWE-73 "External Control of File Name or Path, "CWE-367, "Time-of-check Time-of-use Race Condition," CWE-676, "Use of Potentially Dangerous Function20, "Insufficient input validation," CWE-73 "External control of fle name or path," CWE-192, "Integer Coercion Errorcoercion error," CWE-197, "Numeric Truncation Errortruncation error," CWE-464367, "Addition of Data Structure SentinelTime-of-check, time-of-use race condition," CWE-676464, "Use of Potentially Dangerous FunctionAddition of data structure sentinel," and CWE-20676, "Insufficient Input Validation"

Bibliography

[Burch 2006]
[CERT 2006c]
[Seacord 2005a] Chapter 2, "Strings"

...

Use of potentially dangerous function"

Sources

[Apple 2006] Apple Secure Coding Guide, "Avoiding Race Conditions and Insecure File Operations"
[CERT 2006cMSC34-C. Do not use deprecated or obsolete functions, FIO01-C. Be careful using functions that use file names for identification, FIO07-C. Prefer fseek() to rewind(), FIO12-C. Prefer setvbuf() to setbuf(), INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs, INT06-C. Use strtol() or a related function to convert a string token to an integer, STR06-C. Do not assume that strtok() leaves the parse string unchanged, STR07-C. Use TR 24731 for remediation of existing string manipulation code
[Burch 2006]
[CERT 2006c]
[Drepper 2006] Section 2.2.1 "Identification When Openingwhen opening"
[Klein 2002]
[Linux 2008] strtok(3)
[Open Group 2004] "The open function"
[Seacord 2005a] Chapter 2, "Strings," and Chapter 7, "File I/O"
[Seacord 2005b]

...