Page History

Do not use deprecated or obsolsecent obsolescent functions when more secure equivalent functions are available.
Deprecated functions are defined by the C99 standard and Technical CorrigendaC Standard. Obsolescent functions are defined by this guidelinerecommendation.

Deprecated Functions

The gets() function was deprecated by Technical Corrigendum 3 to C99 and eliminated from C11.  The Annex K gets_s() function is a recommended alternative to gets().

Obsolescent Functions

The following functions are obsolescent.

Functions in the first column of the following table are hereby defined to be obsolescent functions. To remediate invocations of obsolescent functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative non-obsolescent functions.

The atof(), atoi(), atol(), and atoll() functions are obsolescent because the strtod(), strtof(), strtol(), strtold(), strtoll(), strtoul(), and strtoull() functions can emulate their usage and have more robust error handling capabilities. See INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs.

The fopen() and freopen() functions are obsolescent because the fopen_s() and freopen_s() functions can emulate their usage and improve security by protecting the file from unauthorized access by setting its file protection and opening the file with exclusive access [ISO/IEC WG14 N1173].

The setbuf() function is obsolescent because setbuf() does not return a value and can be emulated using setvbuf(). See ERR07-C. Prefer functions that support error checking over equivalent functions that don't.

The rewind() function is obsolescent because rewind() does not return a value and can be emulated using fseek(). See ERR07-C. Prefer functions that support error checking over equivalent functions that don't.

The asctime() and ctime() functions are obsolescent because they use non-reentrant static buffers and can be emulated using asctime_s() and ctime_s().

Unchecked Obsolescent Functions

If you are using platforms that support Annex K, then functions in the first column of the following table are hereby defined to be obsolescent functions, with functions in the second column being the recommended alternatives from Annex K.

For information on the tmpfile() and tmpfile_s() functions, see FIO21-C. Do not create temporary files in shared directories.
For information on the memset() and memset_s() functions, see MSC06-C. Beware of compiler optimizations.

To remediate invocations of obsolescent functions, an application might use any of the following recommended functions from ISO/IEC TR 24731-2, Extensions to the C Library—Part II: Dynamic Allocation Functions [ISO/IEC TR 24731-2]:

Noncompliant Code Example

In this noncompliant code example, the obsolescent functions strcat() and  and strcpy() are  are used.:

#include <string.h>
#include <stdio.h>
 
enum { BUFFERSIZEBUFSIZE =256 32 };

void complain(const char *msg) {

  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFFERSIZEBUFSIZE];

  strcpy(buf, prefix);
  strcat(buf, msg);
  strcat(buf, suffix);
  fputs(buf, stderr);
}

Compliant Solution

In this compliant solution, strcat() and strcpy() are replaced by strcat_s() and strcpy_s().:

#define __STDC_WANT_LIB_EXT1__
#include <string.h>
#include <stdio.h>
 
enum { BUFFERSIZE = 256 };

void complain(const char *msg) {
  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFFERSIZE];

  strcpy_s(buf, BUFFERSIZE, prefix);
  strcat_s(buf, BUFFERSIZE, msg);
  strcat_s(buf, BUFFERSIZE, suffix);
  fputs(buf, stderr);
}

Risk Assessment

The deprecated and obsolescent functions enumerated in this guideline are commonly associated with software vulnerabilities.

Automated Detection

Unknown.

Related Vulnerabilities

Automated Detection

Related Vulnerabilities

Search for Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[Burch 06|AA. References#Burch06]\]
\[[CERT 06c|AA. References#CERT 06c]\]
\[[ISO/IEC 9945:2003|AA. References#ISO/IEC 9945-2003]\]
\[[ISO/IEC 9899:1999|AA. References#ISO/IEC 9899-1999]\] Section 7.21, "String handling <{{string.h}}>"
\[[ISO/IEC 23360-1:2006|AA. References#ISO/IEC 23360-1-2006]\]
\[[ISO/IEC TR 24731-1:2007|AA. References#ISO/IEC TR 24731-1-2007]\]
\[[ISO/IEC PDTR 24731-2|AA. References#ISO/IEC PDTR 24731-2-2007]\]
\[[MISRA 04|AA. References#MISRA 04]\] Rule 20.4
\[[Seacord 05a|AA. References#Seacord 05a]\] Chapter 2, "Strings"

Related Guidelines

Bibliography

...

Image Added Image Added Image AddedImage Removed      49. Miscellaneous (MSC)      50. POSIX (POS)