SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 41

changes.mady.by.user Roberto Bagnara

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Do not use deprecated or obsolete obsolescent functions when more secure equivalent functions are available. Deprecated functions are defined by the C Standard. Obsolete functions are typically functions for which there are more secure or portable alternatives available and are Obsolescent functions are defined by this rulerecommendation.

Deprecated Functions

The gets() function was deprecated by Technical Corrigendum 3 to C99 and eliminated from C11.  The Annex K gets_s() function is a recommended alternative to gets().

...

Obsolescent Functions

Functions in the first column of the following table are hereby defined to be obsolete obsolescent functions. To remediate invocations of obsolete obsolescent functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative nonobsolete non-obsolescent functions.

Obsolete

Obsolescent


Function

Recommended
Alternative

Rationale

asctime()

asctime_s()

Non-reentrant

atof()

strtod()

No error detection

atoi()

strtol()

No error detection

atol()

strtol()

No error detection

atoll()

strtoll()

No error detection

ctime()

ctime_s()

Non-reentrant

fopen()

fopen_s()

No exclusive access to file

freopen()

freopen_s()

No exclusive access to file

rewind()

fseek()

No error detection

setbuf()

setvbuf()

No error detection

The atof(), atoi(), atol(), and atoll() functions are obsolete obsolescent because the strodstrtod(), strtof(), strtol(), strtold(), strtoll(), strotulstrtoul(), and strtoull() functions can emulate their usage and have more robust error - handling capabilities. See INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs.

The fopen() and freopen() functions are obsolete obsolescent because the fopen_s() and freopen_s() functions in C11 Annex K can emulate their usage and improve security by protecting the file from unauthorized access by setting its file protection and opening the file with exclusive access [ISO/IEC 9899:2011WG14 N1173].

The setbuf() function is obsolete obsolescent because setbuf() does not return a value and can be emulated using setvbuf(). See FIO12ERR07-C. Prefer setvbuf() to setbuf()functions that support error checking over equivalent functions that don't.

The rewind() function is obsolete obsolescent because rewind() does not return a value and can be emulated using fseek(). See FIO07ERR07-C. Prefer fseek() to rewind()functions that support error checking over equivalent functions that don't.

The asctime() and ctime() functions are

...

obsolescent because they use non-reentrant static buffers and can be emulated using asctime_s() and ctime_s().

Unchecked

...

Obsolescent Functions

The following If you are using platforms that support Annex K, then functions in the first column of the following table are hereby defined to be unchecked obsolete functions:

 

bsearch

 

fprintf

fscanf

fwprintf

fwscanf

getenv

gmtime

localtime

mbsrtowcs

mbstowcs

memcpy

memmove

printf

qsort

setbuf

snprintf

sprintf

sscanf

strcat

strcpy

strerror

strncat

strncpy

strtok

swprintf

swscanf

vfprintf

vfscanf

vfwprintf

vfwscanf

vprintf

vscanf

vsnprintf

vsprintf

vsscanf

vswprintf

vswscanf

vwprintf

vwscanf

wcrtomb

wcscat

wcscpy

wcsncat

wcsncpy

wcsrtombs

wcstok

wcstombs

wctomb

wmemcpy

wmemmove

wprintf

wscanf

 

 

To remediate invocations of unchecked obsolete functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative nonobsolete functions from C11 Annex K  [ISO/IEC 9899:2011]:

abort_handler_s

 

bsearch_s

 

fprintf_s

freopen_s

fscanf_s

fwprintf_s

fwscanf_s

getenv_s

gets_s

gmtime_s

ignore_handler_s

localtime_s

mbsrtowcs_s

mbstowcs_s

memcpy_s

memmove_s

printf_s

qsort_s

scanf_s

set_constraint_handler_s

snprintf_s

snwprintf_s

sprintf_s

sscanf_s

strcat_s

strcpy_s

strerror_s

strerrorlen_s

strncat_s

strncpy_s

strnlen_s

strtok_s

swprintf_s

swscanf_s

vfprintf_s

vfscanf_s

vfwprintf_s

vfwscanf_s

vprintf_s

vscanf_s

vsnprintf_s

vsnwprintf_s

vsprintf_s

vsscanf_s

vswprintf_s

vswscanf_s

vwprintf_s

vwscanf_s

wcrtomb_s

wcrtoms_s

wcscat_s

wcscpy_s

wcsncat_s

wcsncpy_s

wcsnlen_s

wcsrtombs_s

wcstok_s

wcstombs_s

wctomb_s

wmemcpy_s

wmemmove_s

wprintf_s

wscanf_s

 

 

 

 

 

obsolescent functions, with functions in the second column being the recommended alternatives from Annex K.

Obsolescent
Function

Recommended
Alternative

bsearch()bsearch_s()
fprintf()fprintf_s()
fscanf()fscanf_s()
fwprintf()fwprintf_s()
fwscanf()fwscanf_s()
getenv()getenv_s()
gmtime()gmtime_s()
localtime()localtime_s()
mbsrtowcs()mbsrtowcs_s()
mbstowcs()mbstowcs_s()
memcpy()memcpy_s()
memmove()memmove_s()
printf()printf_s()
qsort()qsort_s()
scanf()scanf_s()
snprintf()snprintf_s()
sprintf()sprintf_s()
sscanf()sscanf_s()
strcat()strcat_s()
strcpy()strcpy_s()
strerror()strerror_s()
strlen()strnlen_s()
strncat()strncat_s()
strncpy()strncpy_s()
strtok()strtok_s()
swprintf()swprintf_s()
swscanf()swscanf_s()
vfprintf()vfprintf_s()
vfscanf()vfscanf_s()
vfwprintf()vfwprintf_s()
vfwscanf()vfwscanf_s()
vprintf()vprintf_s()
vscanf()vscanf_s()
vsnprintf()vsnprintf_s()
vsprintf()vsprintf_s()
vsscanf()vsscanf_s()
vswprintf()vswprintf_s()
vswscanf()vswscanf_s()
vwprintf()vwprintf_s()
vwscanf()vwscanf_s()
wcrtomb()wcrtomb_s()
wcscat()wcscat_s()
wcscpy()wcscpy_s()
wcslen()wcsnlen_s()
wcsncat()wcsncat_s()
wcsncpy()wcsncpy_s()
wcsrtombs()wcsrtombs_s()
wcstok()wcstok_s()
wcstombs()wcstombs_s()
wctomb()wctomb_s()
wmemcpy()wmemcpy_s()
wmemmove()wmemmove_s()
wprintf()wprintf_s()
wscanf()wscanf_s()

For information on the tmpfile() and tmpfile_s() functions, see FIO21-C. Do not create temporary files in shared directories.
For information on the memset() and memset_s() functions, see MSC06-C. Beware of compiler optimizations.

To remediate invocations of obsolescent functions, an application might use any of the following recommended functions from ISO/IEC TR 24731-2, Extensions to the C Library—Part II: Dynamic Allocation Functions [ISO/IEC TR 24731-2]or alternative nonobsolete functions from ISO/IEC TR 24731-2:2010 (Part II):

asprintf

aswprintf

fmemopen

fscanf

fwscanf

getdelim

getline

getwdelim

getwline

open_memstream

open_wmemstream

strdup

strndup

 


Noncompliant Code Example

In this noncompliant code example, the obsolete obsolescent functions strcat() and strcpy() are used:

Code Block
bgColor#FFcccc
#include <string.h>
#include <stdio.h>
 
enum { BUFSIZE = 32 };
void complain(const char *msg) {

  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFSIZE];

  strcpy(buf, prefix);
  strcat(buf, msg);
  strcat(buf, suffix);
  fputs(buf, stderr);
}

Compliant Solution

In this compliant solution, strcat() and strcpy() are replaced by strcat_s() and strcpy_s():

Code Block
bgColor#ccccFF
langc
#define __STDC_WANT_LIB_EXT1__
#include <string.h>
#include <stdio.h>
 
enum { BUFFERSIZE = 256 };

void complain(const char *msg) {
  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFFERSIZE];

  strcpy_s(buf, BUFFERSIZE, prefix);
  strcat_s(buf, BUFFERSIZE, msg);
  strcat_s(buf, BUFFERSIZE, suffix);
  fputs(buf, stderr);
}

Exceptions

...

Risk Assessment
The deprecated and obsolete obsolescent functions enumerated in this guideline are commonly associated with software vulnerabilities.
Rule
Severity
Likelihood
Remediation Cost
Priority
Level
MSC34
MSC24-C
High
Probable
Medium
P12
L1
Automated Detection
ToolVersionCheckerDescription
Astrée
 Include Page
Astrée_V
Astrée_V
stdlib-use-ato
stdlib-macro-ato
stdlib-use-atoll
stdlib-macro-atoll
Partially checked
Axivion Bauhaus Suite
 Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V
CertC-MSC24Fully implemented
CodeSonar
 Include Page
CodeSonar_V
CodeSonar_V
BADFUNC.*

(customization)
A number of CodeSonar's "Use of *" checks are for deprecated/obsolescent functions
CodeSonar also provides a mechanism for users to create custom checks for uses of specified functions
ECLAIR
 Include Page
ECLAIR_V
ECLAIR_V
CC2.MSC34
Fully implemented
LDRA tool suite
 Include Page
LDRA_V
LDRA_V
44 S
Fully implemented
Parasoft C/C++test
 Include Page
Parasoft_V
Parasoft_V
CERT_C-MSC24-a
CERT_C-MSC24-b
CERT_C-MSC24-c
CERT_C-MSC24-d
The library functions atof, atoi and atol from library stdlib.h shall not be used
The 'getenv()' function from the 'stdlib.h' or 'cstdlib' library shall not be used
Avoid using unsafe string functions which may cause buffer overflows
Don't use unsafe C functions that do write to range-unchecked buffers
PC-lint Plus
 Include Page
PC-lint Plus_V
PC-lint Plus_V
586
Fully supported
Polyspace Bug Finder
 Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V
CERT C: Rec. MSC24-CChecks for use of obsolete standard function (rec. fully covered)

PVS-Studio
 Include Page
PVS-Studio_V
PVS-Studio_V
V513, V2001, V2002
RuleChecker
 Include Page
RuleChecker_V
RuleChecker_V
stdlib-use-ato
stdlib-macro-ato
stdlib-use-atoll
stdlib-macro-atoll
Partially checked
Related Vulnerabilities
Search for for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C Secure Coding Standard
FIO01
ERR07-C. 
 Be careful using functions that use file names for identification
FIO07-C. Prefer fseek() to rewind()
FIO12-C. Prefer setvbuf() to setbuf()
Prefer functions that support error checking over equivalent functions that don't
INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs
INT06
ERR34-C. 
 Use strtol() or a related function to convert a string token to an integer
 
Detect errors when converting a string to a number
STR06-C. Do not assume that strtok() leaves the parse string unchanged
STR07-C. Use 
 TR 24731 for remediation of existing 
the bounds-checking interfaces for string manipulation
 code
ISO/IEC TR 24772 Use of Libraries [TRJ]
ISO/IEC 9899:2011Annex K 
MISRA C:2012Rule 21.3 (required)
 
MITRE CWE
CWE-20, Insufficient input validation
CWE-73, External control of file name or path
CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-91, XML Injection (aka Blind XPath Injection)
CWE-94, Improper Control of Generation of Code ('Code Injection')
CWE-114, Process Control
CWE-120, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-192, Integer coercion error
CWE-197, Numeric truncation error
CWE-367, Time-of-check, time-of-use race condition
CWE-464, Addition of data structure sentinel
CWE-601, URL Redirection to Untrusted Site ('Open Redirect')
CWE-676, Use of potentially dangerous function
Bibliography
[Apple 2006]Apple Secure Coding Guide, "Avoiding Race Conditions and Insecure File Operations"
[Burch 2006]Specifications for Managed Strings, Second Edition
[Drepper 2006]Section 2.2.1 "Identification When Opening"
ISO/IEC 9945:2003 
[IEEE Std 1003.1:2013]XSH, System Interfaces, open
ISO/IEC 23360-1:2006
 

[ISO/IEC WG14 N1173]Rationale for TR 24731 Extensions to the C Library Part I: Bounds-checking interfaces
[Klein 2002]"Bullet Proof Integer Input Using strtol()"
[Linux 2008]strtok(3)
[Open Group 2004]
"The open Function"
[Seacord 2013]Chapter 2, "Strings"
Chapter 8, "File I/O"
[Seacord 2005b]"Managed String Library for C, C/C++"
...

...
Image Modified Image Modified Image Modified