...
Alternatively, input character data as a null-terminated byte string and convert to an integer value using strtol()
or a related function. (see INT06See ERR34-C. Use strtol() or a related function to convert a string token to an integer).Detect errors when converting a string to a number.)
Noncompliant Code Example
This noncompliant code example uses the scanf()
function to read a string from stdin
and convert it to a long
. The scanf()
and fscanf()
functions have undefined behavior if the value of the result of this operation cannot be represented as an integer.
Code Block | ||||
---|---|---|---|---|
| ||||
long slnum_long; if (scanf("%ld", &slnum_long) != 1) { /* handleHandle error */ } |
In general, do not use scanf()
to parse integers or floating-point numbers from input strings , because the input could contain numbers not representable by the argument type.
Compliant Solution (Linux)
...
This compliant example uses the Linux {{scanf()
}} implementation's built -in error handling to validate input. On Linux platforms, {{scanf()
}} sets {{errno
}} to {{ERANGE
}} if the result of integer conversion cannot be represented within the size specified by the format string \[ [Linux 08|AA. C References#Linux 08]\]. Note that this is a platform dependent solution. Therefore, this should only be used where portability is not a 2008]. Note that this solution is platform dependent, so it should be used only where portability is not a concern.
Code Block | ||||
---|---|---|---|---|
| ||||
long slnum_long; errno = 0; if (scanf("%ld", &slnum_long) != 1) { /* handleHandle error */ } else if (ERANGE == errno) { if (puts("number out of range\n") == EOF) { /* Handle error */ } } |
...
This compliant example uses fgets()
to input a string and strtol()
to convert the string to an integer. Error checking is provided to make sure that the value is a valid integer in the range of long
.
Code Block | ||||
---|---|---|---|---|
| ||||
char buff[25]; char *end_ptr; long slnum_long; if (fgets(buff, sizeof(buff), stdin) == NULL) { if (puts("EOF or read error\n") == EOF) { /* Handle error */ } } else { errno = 0; slnum_long = strtol(buff, &end_ptr, 10); if (ERANGE == errno) { if (puts("number out of range\n") == EOF) { /* Handle error */ } } else if (end_ptr == buff) { if (puts("not valid numeric input\n") == EOF) { /* Handle error */ } } else if ('\n' != *end_ptr && '\0' != *end_ptr) { if (puts("extra characters on input line\n") == EOF) { /* Handle error */ } } } |
Note that this solution treats any trailing characters, including white-space whitespace characters, as an error condition.
Risk Assessment
While it Although it is relatively rare for a violation of this recommendation to result in a security vulnerability, it can easily result in lost or misinterpreted data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT05-C |
Medium |
Probable |
High | P4 | L3 |
Automated Detection
Tool |
---|
...
Version | Checker | Description | |||||||
---|---|---|---|---|---|---|---|---|---|
Axivion Bauhaus Suite |
| CertC-INT05 | |||||||
CodeSonar |
| MISC.NEGCHAR | Negative Character Value | ||||||
Compass/ROSE |
...
Can detect violations of this recommendation. In particular, it notes uses of the |
...
Helix QAC |
| C5005 | |||||||
LDRA tool suite |
| 44 S | Enhanced Enforcement | ||||||
Parasoft C/C++test |
| CERT_C-INT05-a | Avoid using unsafe string functions that do not check bounds | ||||||
PC-lint Plus |
| 586 | Fully supported |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
...
Related Guidelines
...
...
...
References
Wiki Markup |
---|
\[[Klein 02|AA. C References#Klein 02]\]
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.1.4, "The strtol, strtoll, strtoul, and strtoull functions," and Section 7.19.6, "Formatted input/output functions"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 192|http://cwe.mitre.org/data/definitions/192.html], "Integer Coercion Error"; and [CWE ID 197|http://cwe.mitre.org/data/definitions/197.html], "Numeric Truncation Error"
\[[Linux 08|AA. C References#Linux 08]\] [scanf(3)|http://www.kernel.org/doc/man-pages/online/pages/man3/scanf.3.html] |
Bibliography
...
INT04-C. Enforce limits on integer values originating from untrusted sources 04. Integers (INT) INT06-C. Use strtol() or a related function to convert a string token to an integer