...
| Code Block | ||
|---|---|---|
| ||
mytypedef_t x;
uintmax_t temp;
temp = x; /* Always secure if mytypedef_t is unsigned*/
/* ... Change the value of temp ... */
if (temp <= MYTYPEDEF_MAX) {
x = temp;
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <inttypes.h>
mytypedef_t x;
/* ... */
#ifdef _MSC_VER
printf("%llu", (uintmax_t) x);
#else
printf("%ju", (uintmax_t) x);
#endif |
Microsoft A feature request has been submitted a feature request to Microsoft to add support for the j length modifier to a future release of Microsoft Visual Studio.
...
This noncompliant code example can result in a buffer overflow if the size of mytypedef_t is smaller than unsigned long long, or it might result in an incorrect value if the size of mytypedef_t is larger than unsigned long long. Moreover, scanf() lacks the error checking capabilities of alternative conversion routines, such as strtol(). For more information, see INT06-C. Use strtol() or a related function to convert a string token to an integer).
Compliant Solution (strtoumax())
This compliant solution guarantees that a correct value in the range of mytypedef_t is read, or an error condition is detected, assuming the value of MYTYPEDEF_MAX is correct as the largest value representable by mytypedef_t: We use the The strtoumax() function is used instead of scanf, () as it provides enhanced error checking functionality. The fgets() function is used to read input from stdin.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <inttypes.h>
#include <errno.h>
mytypedef_t x;
uintmax_t temp;
/* ... */
if (fgets(buff, sizeof(buff), stdin) == NULL) {
if (puts("EOF or read error\n") == EOF) {
/* Handle error */
}
} else {
/* Check for errors in the conversion */
errno = 0;
temp = strtoumax(buff, &end_ptr, 10);
if (ERANGE == errno) {
if (puts("number out of range\n") == EOF) {
/* Handle error */
}
}
else if (end_ptr == buff) {
if (puts("not valid numeric input\n") == EOF) {
/* Handle error */
}
}
else if ('\n' != *end_ptr && '\0' != *end_ptr) {
if (puts("extra characters on input line\n") == EOF) {
/* Handle error */
}
}
/* No conversion errors, attempt to store the converted value into x */
if (temp > MYTYPEDEF_MAX) {
/* Handle error */
} else {
x = temp;
}
} |
...
Failure to use an appropriate conversion specifier when inputting or outputting programmer-defined integer types can result in buffer overflow and lost or misinterpreted data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
INT15-C | High | Unlikely | Medium | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Axivion Bauhaus Suite |
| CertC-INT15 | |||||||
| Compass/ROSE |
Can catch violations of this rule by scanning the | |||||||
| LDRA tool suite |
|
439 S
440 S
586 S
586 S | Enhanced Enforcement | ||||||||
| Parasoft C/C++test |
| CERT_C-INT15-a | Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ |
| Coding Standard | VOID INT15-CPP. Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types |
| MITRE CWE | CWE-681, Incorrect conversion between numeric types |
Bibliography
| [Saks 2007c] | Standard C's Pointer Difference Type |
...
...