SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 72

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Alternatively, input character data as a null-terminated byte string and convert to an integer value using strtol() or a related function. (See guideline INT06ERR34-C. Use strtol() or a related function to convert a string token to an integerDetect errors when converting a string to a number.)

Noncompliant Code Example

This noncompliant code example uses the scanf() function to read a string from stdin and convert it to a long. The scanf() and fscanf() functions have undefined behavior if the value of the result of this operation cannot be represented as an integer.

Code Block
bgColor#FFcccc
langc
long slnum_long;

if (scanf("%ld", &slnum_long) != 1) {
  /* handleHandle error */
}

In general, do not use scanf() to parse integers or floating-point numbers from input strings because the input could contain numbers not representable by the argument type.

Compliant Solution (Linux)

Wiki MarkupThis compliant example uses the Linux {{scanf()}} implementation's built -in error handling to validate input. On Linux platforms, {{scanf()}} sets {{errno}} to {{ERANGE}} if the result of integer conversion cannot be represented within the size specified by the format string \[ [Linux 2008|AA. Bibliography#Linux 08]\]. Note that this solution is a platform dependent solution. Therefore, this should only be used where portability is not a , so it should be used only where portability is not a concern.

Code Block
bgColor#ccccff
langc
long slnum_long;
errno = 0;

if (scanf("%ld", &slnum_long) != 1) {
  /* handleHandle error */
}
else if (ERANGE == errno) {
  if (puts("number out of range\n") == EOF) {
      /* Handle error */
  }
}

...

This compliant example uses fgets() to input a string and strtol() to convert the string to an integer. Error checking is provided to make sure that the value is a valid integer in the range of long.

Code Block
bgColor#ccccff
langc
char buff[25];
char *end_ptr;
long slnum_long;

if (fgets(buff, sizeof(buff), stdin) == NULL) {
  if (puts("EOF or read error\n") == EOF) {
    /* Handle error */
  }
} else {
  errno = 0;

  slnum_long = strtol(buff, &end_ptr, 10);

  if (ERANGE == errno) {
    if (puts("number out of range\n") == EOF) {
      /* Handle error */
    }
  }
  else if (end_ptr == buff) {
    if (puts("not valid numeric input\n") == EOF) {
      /* Handle error */
    }
  }
  else if ('\n' != *end_ptr && '\0' != *end_ptr) {
    if (puts("extra characters on input line\n") == EOF) {
      /* Handle error */
    }
  }
}

Note that this solution treats any trailing characters, including white-space whitespace characters, as an error condition.

Risk Assessment

While it Although it is relatively rare for a violation of this recommendation to result in a security vulnerability, it can easily result in lost or misinterpreted data.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT05-C

medium

Medium

probable

Probable

high

High

P4

L3

Automated Detection

Tool

Version

Checker

Description

Section

Fortify SCA

Section

V. 5.0

 

Section

can detect violations of this recommendation with the CERT C Rule Pack

section Sectioncan
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-INT05
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
MISC.NEGCHARNegative Character Value
Compass/ROSE

 

 



Can detect violations of this recommendation. In particular, it notes uses of the scanf() family of functions where on the type specifier is a floating-point or integer type

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5005
LDRA tool suite
Include Page
LDRA_V
LDRA_V
44 SEnhanced Enforcement
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-INT05-a

Avoid using unsafe string functions that do not check bounds
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

586

Fully supported

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++

...

Coding Standard

...

VOID INT05-CPP. Do not use input functions to convert character data if they cannot handle all possible inputs

Bibliography

Wiki Markup
\[[Klein 2002|AA. Bibliography#Klein 02]\]
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.20.1.4, "The strtol, strtoll, strtoul, and strtoull functions," and Section 7.19.6, "Formatted input/output functions"
\[[MITRE 2007|AA. Bibliography#MITRE 07]\] [CWE ID 192|http://cwe.mitre.org/data/definitions/192.html], "Integer Coercion Error"; and [CWE ID 197|http://cwe.mitre.org/data/definitions/197.html], "Numeric Truncation Error"
\[[Linux 2008|AA. Bibliography#Linux 08]\] [{{scanf(3)}}|http://www.kernel.org/doc/man-pages/online/pages/man3/scanf.3.html]

MITRE CWECWE-192, Integer coercion error
CWE-197, Numeric truncation error

Bibliography

[Klein 2002]
[Linux 2008]scanf(3)


...

Image Added Image Added Image AddedINT04-C. Enforce limits on integer values originating from untrusted sources      04. Integers (INT)      INT06-C. Use strtol() or a related function to convert a string token to an integer