According to the C Standard, 7.23.3, paragraph 6 [ISO/IEC 9899:2024],
The address of the
FILE
object used to control a stream may be significant; a copy of aFILE
object
...
is not required to serve in place of the original.
Consequently, do not use a copy of a FILE
object in any input/output operations.
...
Noncompliant Code Example
This non-compliant noncompliant code example can fail because a by-value copy of stdout
is being used in the call to fputs()
.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> int main(void) { FILE my_stdout = *(stdout); if (fputs("Hello, World!\n", &my_stdout) == EOF) { /* Handle Errorerror */ } return 0; } |
For example, this non-compliant example fails with an "access violation" when When compiled under Microsoft Visual Studio 2005 2013 and run under Windowson Windows, this noncompliant example results in an "access violation" at runtime.
Compliant Solution
In this compliant solution, a copy of the stdout
pointer to the FILE
object is used in the call to fputs()
.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> int main(void) { FILE *my_stdout = stdout; if (fputs("Hello, World!\n", my_stdout) == EOF) { /* Handle Errorerror */ } return 0; } |
Risk Assessment
Using a copy of a FILE
object in place of the original may result in a crash, which can be used in a denial-of-service attack.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
FIO38-C |
Low |
Probable |
Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| file-dereference | Partially checked | ||||||
Axivion Bauhaus Suite |
| CertC-FIO38 | Fully implemented | ||||||
Clang |
| misc-non-copyable-objects | Checked with clang-tidy | ||||||
Compass/ROSE |
...
Can detect simple violations of this rule | |||||||||
Coverity |
| MISRA C 2012 Rule 22.5 | Partially implemented | ||||||
Cppcheck Premium |
| premium-cert-fio38-c | Fully implemented | ||||||
Helix QAC |
| C1485, C5028 C++3113, C++3114 | |||||||
Klocwork |
| MISRA.FILE_PTR.DEREF.2012 | |||||||
LDRA tool suite |
| 591 S | Fully implemented | ||||||
Parasoft C/C++test |
| CERT_C-FIO38-a | A pointer to a FILE object shall not be dereferenced | ||||||
PC-lint Plus |
| 9047 | Partially supported: reports when a FILE pointer is dereferenced | ||||||
| CERT C: Rule FIO38-C | Checks for misuse of a FILE object (rule fully covered) | |||||||
RuleChecker |
| file-dereference | Partially checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.3, "Files" |
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
ISO/IEC TS 17961:2013 | Copying a FILE object [filecpy] | Prior to 2018-01-12: CERT: Unspecified Relationship |
Bibliography
[ISO/IEC 9899:2024] | 7.23.3, "Files" |
...
FIO37-C. Don't assume character data has been read 09. Input Output (FIO)