SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 73

changes.mady.by.user Masaki Kubo

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki MarkupThe C99 \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] function {{strtok()}} is a string tokenization function that takes two arguments: an initial string to be parsed and a const-qualified character delimiterdelimiter. It returns a pointer to the first character of a token or to a null pointer if there is no token.

The first time strtok() is called, the string is parsed into tokens , and a character delimiter. The strtok() function parses the string up to the first instance of the delimiter character, replaces the character in place with a null byte ('\0'), and returns the address of the first character in the token. Subsequent calls to strtok() begin parsing immediately after the most recently - placed null character.

Because strtok() modifies the initial string to be parsed, the string is subsequently unsafe and cannot be used in its original form. If you need to preserve the original string, copy it into a buffer and pass the address of the buffer to strtok() instead of the original string.

...

In this example, the strtok() function is used to parse the first argument into colon-delimited tokens; it outputs each word from the string on a new line. Assume that PATH is "/usr/bin:/usr/sbin:/sbin".

Code Block
bgColor#FFCCCC
langc
char *token;
char *path = getenv("PATH");

token = strtok(path, ":");
puts(token);

while (token = strtok(0, ":")) {
  puts(token);
}

printf("PATH: %s\n", path);
/* PATH is now just "/usr/bin" */

After the loop ends, path is modified as follows: "/usr/bin\0/bin\0/usr/sbin\0/sbin\0". This is an issue because the local path variable becomes /usr/bin and because the environment variable PATH has been unintentionally changed, which can have unintended consequences. (see See ENV30-C. Do not modify the string returned by getenv()).object referenced by the return value of certain functions.)

Compliant Solution

In this compliant solution, the string being tokenized is copied into a temporary buffer which buffer that is not referenced after the call to strtok():

Code Block
bgColor#ccccff
langc
char *token;
const char *path = getenv("PATH");
/* PATH is something like "/usr/bin:/bin:/usr/sbin:/sbin" */

char *copy = (char *)malloc(strlen(path) + 1);
if (copy == NULL) {
  /* handleHandle error */
}
strcpy(copy, path);
token = strtok(copy, ":");
puts(token);

while (token = strtok(0, ":")) {
  puts(token);
}

free(copy);
copy = NULL;

printf("PATH: %s\n", path);
/* PATH is still "/usr/bin:/bin:/usr/sbin:/sbin" */

Another possibility is to provide your own implementation of strtok() that does not modify the initial arguments.

Risk Assessment

Wiki MarkupTo quote the Linux The Linux Programmer's Manual (man) page on {{strtok(3)}} \ [[Linux 08|AA. C References#Linux 08]\]: <blockquote><p>Never use this function. This function modifies its first argument. The identity of the delimiting character is lost. This function cannot be used on constant strings.</p></blockquote>The improper use of {{strtok()}} is likely to result in truncated dataLinux 2008] states:

Never use this function. This function modifies its first argument. The identity of the delimiting character is lost. This function cannot be used on constant strings.

The improper use of strtok() is likely to result in truncated data, producing unexpected results later in program , producing unexpected results later in program execution.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

STR06-C

medium

Medium

likely

Likely

medium

Medium

P12

L1

Automated Detection

Tool

Fortify SCA Version 5.0 can detect violations of this recommendation.

...

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
(customization)Users who wish to avoid using strtok() entirely can add a custom check for all uses of strtok().
Compass/ROSE




Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5007
LDRA tool suite
Include Page
LDRA_V
LDRA_V

602 S

Enhanced Enforcement

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

...

Related Guidelines

SEI CERT C++

...

Coding Standard

...

VOID STR06-CPP. Do not assume that strtok() leaves the parse string unchanged

...

...

MITRE CWE

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.21.5.8, "The {{strtok}} function"
\[[Linux 08|AA. C References#Linux 08]\] [strtok(3)|http://www.kernel.org/doc/man-pages/online/pages/man3/strtok.3.html]
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 464|http://cwe.mitre.org/data/definitions/464.html], "Addition of Data Structure Sentinel"

CWE-464, Addition of data structure sentinel

Bibliography

[Linux 2008]strtok(3)


...

Image Added Image Added Image AddedImage Removed      07. Characters and Strings (STR)      STR07-C. Use TR 24731 for remediation of existing string manipulation code