According to the C Standard, 7.23.3, paragraph 6 [ISO/IEC 9899:2024],
The address of the
FILE
object used to control a stream may be significant; a copy of aFILE
object
...
is not required to serve in place of the original.
Consequently, do not copy Do not use a copy of a FILE
object in any input/output operations.
...
Noncompliant Code Example
This non-compliant noncompliant code example can fail because a by-value copy of stdout
is being used in the call to fputs()
.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> int main(void) { FILE my_stdout = *(stdout); if (fputs("Hello, World!\n", &my_stdout); == EOF) { /* Handle error */ } return 0; } |
Platform Specific Details
This non-compliant example does fails with an "access violation" when When compiled under Microsoft Visual Studio 2005 2013 and run on an IA-32 platformWindows, this noncompliant example results in an "access violation" at runtime.
Compliant Solution
In this compliant solution, a copy of the stdout
pointer to the FILE
object is used in the call to fputs()
.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> int main(void) { FILE *my_stdout = stdout; if (fputs("Hello, World!\n", my_stdout); == EOF) { /* Handle error */ } return 0; } |
Risk Assessment
Using a copy of a FILE
object in place of the original is likely to may result in a crash, which can be used in a denial-of-service attack.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
FIO38-C |
2 (medium)
2 (probable)
2 (medium)
P8
L2
Low | Probable | Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| file-dereference | Partially checked | ||||||
Axivion Bauhaus Suite |
| CertC-FIO38 | Fully implemented | ||||||
Clang |
| misc-non-copyable-objects | Checked with clang-tidy | ||||||
Compass/ROSE | Can detect simple violations of this rule | ||||||||
Coverity |
| MISRA C 2012 Rule 22.5 | Partially implemented | ||||||
Cppcheck Premium |
| premium-cert-fio38-c | Fully implemented | ||||||
Helix QAC |
| C1485, C5028 C++3113, C++3114 | |||||||
Klocwork |
| MISRA.FILE_PTR.DEREF.2012 | |||||||
LDRA tool suite |
| 591 S | Fully implemented | ||||||
Parasoft C/C++test |
| CERT_C-FIO38-a | A pointer to a FILE object shall not be dereferenced | ||||||
PC-lint Plus |
| 9047 | Partially supported: reports when a FILE pointer is dereferenced | ||||||
| CERT C: Rule FIO38-C | Checks for misuse of a FILE object (rule fully covered) | |||||||
RuleChecker |
| file-dereference | Partially checked |
Related Vulnerabilities
Search for Examples of vulnerabilities resulting from the violation of this rule can be found on the CERT website.
References
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
ISO/IEC TS 17961:2013 | Copying a FILE object [filecpy] | Prior to 2018-01-12: CERT: Unspecified Relationship |
Bibliography
[ISO/IEC 9899:2024] | 7.23.3, "Files" |
...
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]] Section 7.19.3 Files Wiki Markup