...
| Code Block | ||
|---|---|---|
| ||
mytypedef_t x;
uintmax_t temp;
temp = x; /* Always secure if mytypedef_t is unsigned*/
/* ... Change the value of temp ... */
if (temp <= MYTYPEDEF_MAX) {
x = temp;
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <inttypes.h>
mytypedef_t x;
/* ... */
#ifdef _MSC_VER
printf("%llu", (uintmax_t) x);
#else
printf("%ju", (uintmax_t) x);
#endif |
Microsoft A feature request has been submitted a feature request to Microsoft to add support for the j length modifier to a future release of Microsoft Visual Studio.
...
This noncompliant code example can result in a buffer overflow if the size of mytypedef_t is smaller than unsigned long long, or it might result in an incorrect value if the size of mytypedef_t is larger than unsigned long long. Moreover, scanf() lacks the error checking capabilities of alternative conversion routines, such as strtol(). For more information, see INT06-C. Use strtol() or a related function to convert a string token to an integer.
Compliant Solution (
...
strtoumax())
This compliant solution guarantees that a correct value in the range of mytypedef_t is read, or an error condition is detected, assuming the value of MYTYPEDEF_MAX is correct as the largest value representable by mytypedef_t: The strtoumax() function is used instead of scanf() as it provides enhanced error checking functionality. The fgets() function is used to read input from stdin.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> #include <inttypes.h> #include <errno.h> mytypedef_t x; uintmax_t temp; /* ... */ if (fgets(buff, sizeof(buff), stdin) == NULL) { if (scanfputs("%ju", &temp) != 1EOF or read error\n") == EOF) { /* Handle error */ } } else { if (temp > MYTYPEDEF_MAX /* Check for errors in the conversion */ errno = 0; temp = strtoumax(buff, &end_ptr, 10); if (ERANGE == errno) { if (puts("number out of range\n") == EOF) { /* Handle error */ } } else if (end_ptr == buff) { x = temp; } |
Compliant Solution (Microsoft scanf())
Visual Studio 2012 and earlier versions do not support the standard j length modifier and do not have a nonstandard analog. Consequently, the programmer must hard code the knowledge that intmax_t is int64_t and uintmax_t is for Microsoft Visual Studio versions.uint64_t
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> #include <inttypes.h> mytypedef_t x; uintmax_t temp; /* ... */ #ifdef _MSC_VER # define UINTMAX_CS "%llu" #else # define UINTMAX_CS "%ju" #endif if (scanf(UINTMAX_CS, &temp) != 1) { if (puts("not valid numeric input\n") == EOF) { /* Handle error */ } } else if ('\n' != *end_ptr && '\0' != *end_ptr) { if (puts("extra characters on input line\n") == EOF) { /* Handle error */ } } /* No conversion errors, attempt to store the converted value into x */ if (temp > MYTYPEDEF_MAX) { /* Handle error */ } else { x = temp; } |
...
}
} |
Risk Assessment
Failure to use an appropriate conversion specifier when inputting or outputting programmer-defined integer types can result in buffer overflow and lost or misinterpreted data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
INT15-C | High | Unlikely | Medium | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Axivion Bauhaus Suite |
| CertC-INT15 | |||||||
| Compass/ROSE |
Can catch violations of this rule by scanning the | |||||||
| LDRA tool suite |
|
439 S
440 S
586 S
586 S | Enhanced Enforcement | ||||||||
| Parasoft C/C++test |
| CERT_C-INT15-a | Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ |
| Coding Standard | VOID INT15-CPP. Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types |
| MITRE CWE | CWE-681, Incorrect conversion between numeric types |
Bibliography
| [Saks 2007c] | Standard C's Pointer Difference Type |
...
...