...
The solution is to include an implementation of the missing function vsnprintf() to eliminate the dependency on external library functions when they are not available. This compliant solution assumes that __USE_ISOC99ISOC11 is not defined on systems that fail to provide a vsnprintf() implementation.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> #ifndef __USE_ISOC99ISOC11 /* reimplements vsnprintf() */ #include "my_stdio.h" #endif |
...
Replacing secure functions with less secure functions is a very risky practice because developers can be easily fooled into trusting the function to perform a security check that is absent. This may be a concern, for example, as developers attempt to adopt more secure functions, like the C11 Annex K functions [ISO/IEC TR 24731-1 functions that 9899:2011] that might not be available on all platforms. (See STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code.)
...
| [Open Group 2004] | vsnprintf() |
| [Seacord 2013] | Chapter 6, "Formatted Output" |
| [ISO/IEC 9899:2011] | 7.21.6.12 "The vsnprintf Function" |
| [VU#654390] |
...