...
| Code Block | ||
|---|---|---|
| ||
long sl;
if (scanf("%ld", &sl) != 1) {
/* handler error */
}
|
In general, do not use scanf() to parse integers or floating-point numbers from input strings, because the input could contain numbers not representable by the argument type.
Compliant Solution
This compliant example uses fgets() to input a string and strtol() to convert the string to an integer. Error checking is provided to make sure that the value is a valid integer in the range of long.
...
Fortify SCA Version 5.0 with the CERT C Rule Pack can detect violations of this recommendation.
Compass/ROSE could detect violations merely by searching for scanf() or a related function that has a parameter that is a pointer to a floating-point or integer type.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...