...
Obsolete | Recommended | Rationale |
|---|---|---|
|
| Non-reentrant. |
|
| No error detection. |
|
| No error detection. |
|
| No error detection. |
|
| No error detection. |
|
| Non-reentrant. |
|
| No exclusive access to file. |
|
| No exclusive access to file. |
|
| No error detection. |
|
| No error detection. |
The atof, atoi, atol, and atoll functions are obsolete because the strod, strtof, strtol, strtold, strtoll, strotul, and strtoull functions can emulate their usage and have more robust error-handling capabilities. See INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs.
...
The asctime and ctime functions are obsolete because they use non-reentrant static buffers and can be emulated using asctime_s and ctime_s.
Unchecked Obsolete Functions
The following are hereby defined to be unchecked obsolete functions:
...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Noncompliant Code Example
In this noncompliant code example, the obsolete functions strcat and strcpy are used.
| Code Block | ||
|---|---|---|
| ||
void complain(const char *msg) {
static const char prefix[] = "Error: ";
static const char suffix[] = "\n";
char buf[BUFSIZE];
strcpy(buf, prefix);
strcat(buf, msg);
strcat(buf, suffix);
fputs(buf, stderr);
}
|
Compliant Solution
In this compliant solution, strcat() and strcpy() are replaced by strcat_s() and strcpy_s().
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum { BUFFERSIZE=256 };
void complain(const char *msg) {
static const char prefix[] = "Error: ";
static const char suffix[] = "\n";
char buf[BUFFERSIZE];
strcpy_s(buf, BUFFERSIZE, prefix);
strcat_s(buf, BUFFERSIZE, msg);
strcat_s(buf, BUFFERSIZE, suffix);
fputs(buf, stderr);
}
|
Noncompliant Code Example
...
| Code Block | ||
|---|---|---|
| ||
FILE *file;
/* Setup file */
setbuf(file, NULL);
/* ... */
|
Compliant Solution
In this compliant solution.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
|
Noncompliant Code Example
...
| Code Block | ||
|---|---|---|
| ||
char file_name[L_tmpnam];
FILE *fp;
if (!tmpnam(file_name)) {
/* Handle error */
}
/* A TOCTOU race condition exists here */
fp = fopen(file_name, "wb+");
if (fp == NULL) {
/* Handle error */
}
|
Compliant Solution
In this compliant solution.
| Code Block | ||||
|---|---|---|---|---|
| ||||
Noncompliant Code Example
...
In this compliant solution.,
| Code Block | ||||
|---|---|---|---|---|
| ||||
Exceptions
MSC34-EX1: If an out-of-bounds store cannot occur in a specific invocation of a function, the invocation of that function is permitted by this rule. The rationale for this exception is that the simple use of such a function in a program does not mean the program is incorrect. A requirement to To eliminate the use of such a function requires that , the programmer must replace calls to the deprecated or obsolete function with with calls to the alternative functions. Unfortunately, the process of modifying existing code frequently introduces defects and vulnerabilities and is not recommended. New code should be developed in conformance to this guideline, however.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC 9899:2011 Section 7.21.3, "Files," Section 7.21.4, "Operations on files," Section 7.21.5.5, "The setbuf function," Section 7.21.6, "Formatted input/output functions," 7.21.9.2, "The fseek function"; 7.21.9.5, "The rewind function," Section 7.22.1.4, "The strtol, strtoll, strtoul, and strtoull functions," 7.24, "String handling <string.h>," and Section 7.24.5.8, "The strtok function"
ISO/IEC JTC1/SC22/WG11 Rationale for TR 24731 Extensions to the C Library Part I: Bounds-checking interfaces
ISO/IEC TR 24772 "TRJ Use of libraries"
MISRA Rule 20.4
...
| CERT C Secure Coding Standard | FIO01-C. Be careful using functions that use file names for identification FIO07-C. Prefer fseek() to rewind() FIO12-C. Prefer setvbuf() to setbuf() INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs INT06-C. Use strtol() or a related function to convert a string token to an integer MSC34-C. Do not use deprecated or obsolete functionsSTR06-C. Do not assume that strtok() leaves the parse string unchanged STR07-C. Use TR 24731 for remediation of existing string manipulation code |
| ISO/IEC TR 24772 | Use of Libraries [TRJ] |
| ISO/IEC TR 24731-1:2007 | |
| MISRA-C | Rule 20.4 |
| MITRE CWE | CWE-20, Insufficient input validation CWE-73, External control of file name or path CWE-192, Integer coercion error CWE-197, Numeric truncation error CWE-367, Time-of-check, time-of-use race condition |
...
...
| Addition of data structure sentinel |
...
...
| Use of potentially dangerous function |
...
...
Bibliography
| [Apple 2006] | Apple Secure Coding Guide, "Avoiding Race Conditions and Insecure File Operations" |
...
...
| Specifications for Managed Strings, Second Edition | |
| [Drepper 2006] | Section 2.2.1 "Identification |
...
| When Opening" | |
| ISO/IEC 9945:2003 | |
| ISO/IEC 23360-1:2006 | |
| [ISO/IEC WG14 N1173] | Rationale for TR 24731 Extensions to the C Library Part I: Bounds-checking interfaces |
| [Klein 2002] | "Bullet Proof Integer Input Using strtol()" |
| [Linux 2008] | strtok(3) |
| [Open Group 2004] | "The open |
...
| Function" |
| [Seacord |
...
| 2013] | Chapter 2, "Strings |
...
| " |
...
Chapter |
...
| 8, "File I/O" | |
| [Seacord 2005b] | "Managed String Library for C, C/C++" |
...