Common mistakes in creating format strings include
- Using invalid conversion specifiers
- Using a length modifier on an incorrect specifier
- Mismatching the argument and conversion specifier type
- Using invalid character classes
The following are C99 [[ISO/IEC 9899-1999]] compliant conversion specifiers. Using any other specifier may result in undefined behavior.
d, i, o, u, x, X, f, F, e, E, g, G, a, A, c, s, p, n, %
Only some of the conversion specifiers are able to correctly take a length modifier. Using a length modifier on any specifier other than the following may result in undefined behavior.
d, i, o, u, x, X, a, A, e, E, f, F, g, G
Character class ranges must also be properly specified with a hyphen in between two printable characters. The two following lines are both properly specified. The first accepts any character from a-z, inclusive, while the second accepts anything that is not a-z, inclusive.
[a-z] [^a-z]
Mismatches between arguments and conversion specifiers may result in undefined behavior. Many compilers can diagnose type mismatches in formatted output function invocations.
char const *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %s): %d\n", error_type, error_msg);
Risk Assessment
In most cases, incorrectly specified format strings will result in abnormal program termination.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO00-A |
low |
unlikely |
medium |
P2 |
L3 |
Automated Detection
The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.
GNU C allows the -Wformat compiler option that does substantial checking of formats and arguments.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 7.19.6.1, "The fprintf function"
09. Input Output (FIO) 09. Input Output (FIO) FIO01-A. Be careful using functions that use file names for identification