Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated UB references from C11->C23

Subclause 7.21The C Standard, 7.23.5.3 of the C Standard , paragraph 7 [ISO/IEC 9899:20112024], places the following restrictions on update streams:

...

The following scenarios can result in undefined behavior 151:. (See undefined behavior 156.)

  •  Receiving input from a stream directly following an output to that stream without an intervening call to fflush(), fseek(), fsetpos(), or rewind() if the file is not at end-of-file
  •  Outputting to a stream after receiving input from that stream without a call to fseek(), fsetpos(), or rewind() if the file is not at end-of-file

Noncompliant Code Example

...

Code Block
bgColor#ffcccc
langc
#include <stdio.h>
 
enum { BUFFERSIZE = 32 };

extern void initialize_data(char *data, size_t size);
 
void func(const char *file_name) {
  char data[BUFFERSIZE];
  char append_data[BUFFERSIZE];
  FILE *file;

  file = fopen(file_name, "a+");
  if (file == NULL) {
    /* Handle error */
  }
 
  initialize_data(append_data, BUFFERSIZE);

  if (fwrite(append_data, BUFFERSIZE1, 1BUFFERSIZE, file) != BUFFERSIZE) {
    /* Handle error */
  }
  if (fread(data, BUFFERSIZE1, 1BUFFERSIZE, file) !=< 0BUFFERSIZE) {
    /* Handle there not being data */
  }

  if (fclose(file) == EOF) {
    /* Handle error */
  }
}

However, because the stream is not flushed between the call Because there is no intervening flush or positioning call between the calls to fread() and fwrite(), the behavior is undefined.

Compliant Solution

In this compliant solution, fseek() is called between the output and input, eliminating the undefined behavior:

...

Alternately inputting and outputting from a stream without an intervening flush or positioning call is undefined behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO39-C

Low

Likely

Medium

P6

L2

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported, but no explicit checker
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-FIO39
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

IO.IOWOP
IO.OIWOP

Input After Output Without Positioning
Output After Input Without Positioning

Compass/ROSE
  


Can detect simple violations of this rule

Fortify SCA

5.0

 

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF4711, DF4712, DF4713


Klocwork

Include Page
Klocwork_V
Klocwork_V

CERT.FIO.NO_FLUSH
Can detect violations of this rule with CERT C Rule Pack


LDRA tool suite
Include Page
LDRA_V
LDRA_V

84 D

Fully implemented
Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-FIO39-a

Do not alternately input and output from a stream without an intervening flush or positioning call
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

2478, 2479

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule FIO39-CChecks for alternating input and output from a stream without flush or positioning call (rule fully covered)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C
++ Secure Coding Standard
FIO39
FIO50-CPP. Do not alternately input and output from a file stream without an intervening
flush or
positioning call
CERT C Secure Coding Standardvoid FIO07-C. Prefer fseek() to rewind() 
Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961:2013Interleaving stream inputs and outputs without a flush or positioning call [ioileave]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-6642017-07-10: CERT: Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-664 and FIO39-C

CWE-664 = Union( FIO39-C, list) where list =


  • Improper use of an object (besides alternating reading/writing a file stream without an intervening flush


This CWE is vague on what constitutes “improper control of a resource”. It could include any violation of an object’s method constraints (whether they are documented or not). Or it could be narrowly interpreted to mean object creation and object destruction (which are covered by other CWEs).

Bibliography

[ISO/IEC 9899:
2011
2024]
Subclause
7.
21
23.5.3, "The fopen Function"

...


...

Image Modified Image Modified Image Modified