According to the C Standard, 7.23.3, paragraph 6 [ISO/IEC 9899:2024],
The address of the
FILE
object used to control a stream may be significant; a copy of aFILE
object
...
is not required to serve in place of the original.
Consequently, do not copy Do not use a copy of a FILE
object in any input/output operations.
...
Noncompliant Code Example
This non-compliant noncompliant code example can fail because a by-value copy of stdout
is being used in the call to fputs()
.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> int main(void) { FILE my_stdout = *(stdout); if (fputs("Hello, World!\n", &my_stdout); == EOF) { /* Handle error */ } return 0; } |
Platform Specific Details
This non-compliant example does fail with an "access violation" when When compiled under Microsoft Visual Studio 2005 2013 and run on an IA-32 platformWindows, this noncompliant example results in an "access violation" at runtime.
Compliant Solution
In this compliant solution, a copy of the stdout
pointer to the FILE
object is used in the call to fputs()
.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> int main(void) { FILE *my_stdout = stdout; if (fputs("Hello, World!\n", my_stdout); == EOF) { /* Handle error */ } return 0; } |
Risk Assessment
Using a copy of a FILE
object in place of the original is likely to may result in a crash, which can be used in a denial-of-service attack.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
FIO38-C | Low | Probable | Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| file-dereference | Partially checked | ||||||
Axivion Bauhaus Suite |
| CertC-FIO38 | Fully implemented | ||||||
Clang |
| misc-non-copyable-objects | Checked with clang-tidy | ||||||
Compass/ROSE | Can detect simple violations of this rule | ||||||||
Coverity |
| MISRA C |
1 (low)
2 (probable)
2 (medium)
P4
2012 Rule 22.5 | Partially implemented | ||||||||
Cppcheck Premium |
| premium-cert-fio38-c | Fully implemented | ||||||
Helix QAC |
| C1485, C5028 C++3113, C++3114 | |||||||
Klocwork |
| MISRA.FILE_PTR.DEREF.2012 | |||||||
LDRA tool suite |
| 591 S | Fully implemented | ||||||
Parasoft C/C++test |
| CERT_C-FIO38-a | A pointer to a FILE object shall not be dereferenced | ||||||
PC-lint Plus |
| 9047 | Partially supported: reports when a FILE pointer is dereferenced | ||||||
| CERT C: Rule FIO38-C | Checks for misuse of a FILE object (rule fully covered) | |||||||
RuleChecker |
| file-dereference | Partially checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
...
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
ISO/IEC TS 17961:2013 | Copying a FILE object [filecpy] | Prior to 2018-01-12: CERT: Unspecified Relationship |
Bibliography
...
...
9899:2024] | 7.23.3, |
...
"Files" |
...
FIO37-C. Don't assume character data has been read 09. Input Output (FIO) FIO39-C. Do not read in from a stream directly following output to that stream