...
Alternatively, input character data as a null-terminated byte string and convert to an integer value using strtol()
or a related function. (See INT06ERR34-C. Use strtol() or a related function to convert a string token to an integerDetect errors when converting a string to a number.)
Noncompliant Code Example
...
Although it is relatively rare for a violation of this recommendation to result in a security vulnerability, it can easily result in lost or misinterpreted data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT05-C |
Medium |
Probable |
High | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Axivion Bauhaus Suite |
| CertC-INT05 | |||||||
CodeSonar |
| MISC.NEGCHAR | Negative Character Value | ||||||
Compass/ROSE |
Can detect violations of this recommendation. In particular, it notes uses of the |
5.0
Can detect violations of this recommendation with the CERT C Rule Pack
Helix QAC |
| C5005 | |||||||
LDRA tool suite |
| 44 S | Enhanced Enforcement | ||||||
Parasoft C/C++test |
| CERT_C-INT05-a | Avoid using unsafe string functions that do not check bounds | ||||||
PC-lint Plus |
| 586 | Fully supported |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ |
Coding Standard | VOID INT05-CPP. Do not use input functions to convert character data if they cannot handle all possible inputs |
MITRE CWE | CWE-192, Integer coercion error CWE-197, Numeric truncation error |
Bibliography
...
...