Macros are frequently used in the remediation of existing code to globally replace one identifier with another, for example, when an existing API changes. While there Although some risk is always some risk involved, this practice becomes particularly dangerous if a function name is replaced with the function name of a deprecated or obsolescent functionsfunction. Deprecated functions are defined by the C99 standard C Standard and Technical Corrigenda. Obsolescent functions are defined by rule MSC34 MSC24-C. Do not use deprecated or obsolescent functions.
While Although compliance with rule MSC34 MSC24-C. Do not use deprecated or obsolescent functions guarantees compliance with this recommendation, the emphasis of this recommendation is the extremely risky and deceptive practice of replacing functions with less secure alternatives.
Noncompliant Code Example
...
The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) contained a vulnerability that introduced several potential buffer overflow conditions [VU#654390|AA. Bibliography#VU#654390]. ISC DHCP makes use of the {{vsnprintf()
}} function for writing various log file strings, which is defined in the Open Group Base Specifications Issue 6 \[[Open Group 2004|AA. Bibliography#Open Group 04]\] as well as C99 \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\]. For systems that do not support {{vsnprintf()}}, a C include file was created that defines the {{vsnprintf()}} function to {{vsprintf()}}, as shown in this noncompliant code strings; vsnprintf()
is defined in the Portable Operating System Interface (POSIX®), Base Specifications, Issue 7 [IEEE Std 1003.1:2013] as well as in the C Standard. For systems that do not support vsnprintf()
, a C include file was created that defines the vsnprintf()
function to vsprintf()
, as shown in this noncompliant code example:
Code Block | ||||
---|---|---|---|---|
| ||||
#define vsnprintf(buf, size, fmt, list) \
vsprintf(buf, fmt, list)
|
The vsprintf()
function does not check bounds. Consequently, size
is discarded, creating the potential for a buffer overflow when untrusted data is used.
...
The solution is to include an implementation of the missing function vsnprintf()
to eliminate the dependency on external library functions when they are not available. This compliant solution assumes that __USE_ISOC99ISOC11
is not defined on systems that fail to provide a vsnprintf()
implementation.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> #ifndef __USE_ISOC99ISOC11 /* reimplementsReimplements vsnprintf() */ #include "my_stdio.h" #endif |
...
Replacing secure functions with less secure functions is a very risky practice because developers can be easily fooled into trusting the function to perform a security check that is absent. This may be a concern, for example, as developers attempt to adopt more secure functions, like the ISO/IEC TR 24731-1 functions such as the C11 Annex K functions, that might not be available on all platforms. (See recommendation STR07-C. Use TR 24731 for remediation of existing the bounds-checking interfaces for string manipulation code.)
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
PRE09-C |
High |
Likely |
Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| Supported, but no explicit checker | |||||||
Axivion Bauhaus Suite |
| CertC-PRE09 | |||||||
Helix QAC |
| C5003 | |||||||
Polyspace Bug Finder |
| Checks for:
Rec. fully covered. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
...
Executing or Loading Untrusted Code |
...
[XYS] |
MITRE CWE |
...
...
Failure to |
...
provide specified functionality |
Bibliography
[IEEE Std 1003.1:2013] | XSH, System Interfaces, vsnprintf, vsprintf |
[Seacord 2013] | Chapter 6, "Formatted Output" |
[VU#654390] |
...
Bibliography
Wiki Markup |
---|
\[[Open Group 2004|AA. Bibliography#Open Group 04]\] [{{vsnprintf()}}|http://www.opengroup.org/onlinepubs/009695399/functions/vsnprintf.html]
\[[Seacord 2005a|AA. Bibliography#Seacord 05]\] Chapter 6, "Formatted Output"
\[[VU#654390|AA. Bibliography#VU#654390]\] |
01. Preprocessor (PRE) PRE10-C. Wrap multi-statement macros in a do-while loop