Section The C Standard, 7.1923.5.3 of C99 places the following restrictions on update streams \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\], paragraph 7 [ISO/IEC 9899:2024], places the following restrictions on update streams: Wiki Markup
When a file is opened with update mode both . . ., both input and output may be performed on the associated stream. However, output shall not be directly followed by input without an intervening call to the
fflush
function or to a file positioning function (fseek
,fsetpos
, orrewind
), and input shall not be directly followed by output without an intervening call to a file positioning function, unless the input operation encounters end-of-file. Opening (or creating) a text file with update mode may instead open (or create) a binary stream in some implementations.
The following scenarios will be diagnosed because either can result in undefined behavior. (See undefined behavior :
⢠Receiving 156.)
- Receiving input from a stream directly following an output to that stream without an intervening call to
fflush()
,fseek()
,fsetpos()
, orrewind()
if the file is not at end-of-file
...
- Outputting to a stream after receiving input from that stream without a call to
fseek()
,fsetpos()
, orrewind()
if the file is not at end-of-file
...
Consequently, a call to fseek()
, fflush()
, or fsetpos()
is necessary between input and output to the same stream.
...
See ERR07-C. Prefer functions that support error checking over equivalent functions that don't for more information on why fseek()
...
is preferred over rewind()
.
...
Noncompliant Code Example
This noncompliant code example appends data to a file and then reads from the same file.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> enum { BUFFERSIZE = 32 }; extern void initialize_data(char *data, size_t size); void func(const char *file_name) { char data[BUFFERSIZE]; char append_data[BUFFERSIZE]; char *file_name; FILE *file; /* Initialize file_name */ file = fopen(file_name, "a+"); if (file == NULL) { /* Handle error */ } /* initialize _data(append_data, */BUFFERSIZE); if (fwrite(append_data, BUFFERSIZE1, 1BUFFERSIZE, file) != BUFFERSIZE) { /* Handle error */ } if (fread(data, BUFFERSIZE1, 1BUFFERSIZE, file) !=< 0BUFFERSIZE) { /* Handle there not being data */ } if (fclose(file); ) == EOF) { /* Handle error */ } } |
Because there is no intervening flush or positioning call between the calls However, because the stream is not flushed in between the call to fread()
and fwrite()
, the behavior is undefined.
Compliant Solution
In this compliant solution, fseek()
is called in between the output and input, eliminating the undefined behavior.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> enum { BUFFERSIZE = 32 }; extern void initialize_data(char *data, size_t size); void func(const char *file_name) { char data[BUFFERSIZE]; char append_data[BUFFERSIZE]; char *file_name; FILE *file; /* initialize file_name */ file = fopen(file_name, "a+"); if (file == NULL) { /* Handle error */ } /* Initialize initialize_data(append_data, */ BUFFERSIZE); if (fwrite(append_data, BUFFERSIZE, 1, file) != BUFFERSIZE) { /* Handle error */ } if (fseek(file, 0L, SEEK_SET) != 0) { /* Handle error */ } if (fread(data, BUFFERSIZE, 1, file) != 0) { /* Handle there not being data */ } if (fclose(file); ) == EOF) { /* Handle error */ } } |
Risk Assessment
Alternately inputting and outputting from a stream without an intervening flush or positioning call results in is undefined behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
FIO39-C |
Low |
Likely |
Medium | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description |
---|
Section |
---|
Fortify SCA |
Section |
---|
V. 5.0 |
Section |
---|
can detect violations of this rule with CERT C Rule Pack |
Astrée |
| Supported, but no explicit checker | |||||||
Axivion Bauhaus Suite |
| CertC-FIO39 | |||||||
CodeSonar |
| IO.IOWOP | Input After Output Without Positioning | ||||||
Compass/ROSE | Can detect simple violations of this rule | ||||||||
Helix QAC |
| DF4711, DF4712, DF4713 | |||||||
Klocwork |
| CERT.FIO.NO_FLUSH | |||||||
LDRA tool suite |
| 84 D | Fully implemented | ||||||
Parasoft C/C++test |
| CERT_C-FIO39-a | Do not alternately input and output from a stream without an intervening flush or positioning call | ||||||
PC-lint Plus |
| 2478, 2479 | Fully supported | ||||||
| CERT C: Rule FIO39-C | Checks for alternating input and output from a stream without flush or positioning call (rule fully covered) |
Section |
---|
Compass/ROSE |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C | FIO50-CPP. Do not alternately input and output from a file stream without an intervening positioning call | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961:2013 | Interleaving stream inputs and outputs without a flush or positioning call [ioileave] | Prior to 2018-01-12: CERT: Unspecified Relationship |
CWE 2.11 | CWE-664 | 2017-07-10: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-664 and FIO39-C
CWE-664 = Union( FIO39-C, list) where list =
- Improper use of an object (besides alternating reading/writing a file stream without an intervening flush
This CWE is vague on what constitutes “improper control of a resource”. It could include any violation of an object’s method constraints (whether they are documented or not). Or it could be narrowly interpreted to mean object creation and object destruction (which are covered by other CWEs).
Bibliography
...
2024] | 7. |
...
23.5.3, "The fopen |
...
Function" |
...
Bibliography
FIO38-C. Do not use a copy of a FILE object for input and output 09. Input Output (FIO) FIO40-C. Reset strings on fgets() failure