SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 21 Next »

Common mistakes in creating format strings include

  • Using invalid conversion specifiers
  • Using a length modifier on an incorrect specifier
  • Mismatching the argument and conversion specifier type
  • Using invalid character classes

The following are C99 compliant conversion specifiers [[ISO/IEC 9899-1999]] Using any other specifier may result in undefined behavior.

d, i, o, u, x, X, f, F, e, E, g, G, a, A, c, s, p, n, %

Only some of the conversion specifiers are able to correctly take a length modifier. Using a length modifier on any specifier other than the following may result in undefined behavior.

d, i, o, u, x, X, a, A, e, E, f, F, g, G

Character class ranges must also be properly specified with a hyphen in between two printable characters. The two following lines are both properly specified. The first accepts any character from a-z, inclusive, while the second accepts anything that is not a-z, inclusive. 

[a-z]
[^a-z]

Note that the range is in terms of character code values, and on an EBCDIC platform it will include some non-alphabetic codes. Consequently the isalpha() function should be used to verify the input.

Mismatches between arguments and conversion specifiers may result in undefined behavior. Many compilers can diagnose type mismatches in formatted output function invocations.

char const *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %s): %d\n", error_type, error_msg);

Risk Assessment

In most cases, incorrectly specified format strings will result in abnormal program termination.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO00-A

low

unlikely

medium

P2

L3

Automated Detection

The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.

GNU C allows the -Wformat compiler option that does substantial checking of formats and arguments.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899-1999]] Section 7.19.6.1, "The fprintf function"

09. Input Output (FIO)      09. Input Output (FIO)       FIO01-A. Be careful using functions that use file names for identification

  • No labels