Macros are frequently used in the remediation of existing code to globally replace one identifier with another, for example, when an existing API changes. While there is always some risk involved, this practice becomes particularly dangerous if a function name is replaced with the function name of a deprecated or obsolescent functions. Deprecated functions are defined by the C99 standard and Technical Corrigenda. Obsolescent functions are defined by this guideline.
Deprecated Functions
The gets function was deprecated by Technical Corrigendum 3.
Obsolescent Functions
The following functions are obsolescent.
asctime |
atof |
atoi |
atol |
atoll |
bsearch |
ctime |
|
fopen |
fprintf |
freopen |
fscanf |
fwprintf |
fwscanf |
getenv |
|
gmtime |
localtime |
mbsrtowcs |
mbstowcs |
memcpy |
memmove |
printf |
|
qsort |
remove |
rename |
rewind |
setbuf |
snprintf |
sprintf |
|
sscanf |
strcat |
strcpy |
strerror |
strncat |
strncpy |
strtok |
|
swprintf |
swscanf |
tmpfile |
tmpfile_s |
tmpnam |
tmpnam_s |
vfprintf |
|
vfscanf |
vfwprintf |
vfwscanf |
vprintf |
vscanf |
vsnprintf |
vsprintf |
|
vsscanf |
vswprintf |
vswscanf |
vwprintf |
vwscanf |
wcrtomb |
wcscat |
|
wcscpy |
wcsncat |
wcsncpy |
wcsrtombs |
wcstok |
wcstombs |
wctomb |
|
wmemcpy |
wmemmove |
wprintf |
wscanf |
|
|
|
|
Noncompliant Code Example
The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) contained a vulnerability that introduced several potential buffer overflow conditions [VU#654390]. ISC DHCP makes use of the vsnprintf() function for writing various log file strings, which is defined in the Open Group Base Specifications Issue 6 [[Open Group 04]] as well as C99 [[ISO/IEC 9899:1999]]. For systems that do not support vsnprintf(), a C include file was created that defines the vsnprintf() function to vsprintf(), as shown in this noncompliant code example:
#define vsnprintf(buf, size, fmt, list) \ vsprintf(buf, fmt, list)
The vsprintf() function does not check bounds. Consequently, size is discarded, creating the potential for a buffer overflow when untrusted data is used.
Compliant Solution
The solution is to include an implementation of the missing function vsnprintf() to eliminate the dependency on external library functions when they are not available. This compliant solution assumes that __USE_ISOC99 is not defined on systems that fail to provide a vsnprintf() implementation.
#include <stdio.h> #ifndef __USE_ISOC99 /* reimplements vsnprintf() */ #include "my_stdio.h" #endif
Risk Assessment
Replacing secure functions with less secure functions is a very risky practice, because developers can be easily fooled into trusting the function to perform a security check that is absent. This may be a concern, for example, as developers attempt to adopt more secure functions, like the ISO/IEC TR 24731-1 functions (see STR07-C. Use TR 24731 for remediation of existing string manipulation code) that might not be available on all platforms.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
PRE09-C |
high |
likely |
medium |
P18 |
L1 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C++ Secure Coding Standard as PRE09-CPP. Do not replace secure functions with less secure functions.
References
[[ISO/IEC 9899:1999]] Section 7.19.6.12, "The vsnprintf function"
[[ISO/IEC PDTR 24772]] "XYS Executing or Loading Untrusted Code"
[[MITRE 07]] CWE ID 684
, "Failure to Provide Specified Functionality"
[[Open Group 04]] vsnprintf()
[[Seacord 05a]] Chapter 6, "Formatted Output"
[[VU#654390]]
01. Preprocessor (PRE) PRE10-C. Wrap multi-statement macros in a do-while loop