When one has a choice of two functions to accomplish the same task, prefer the one with better error checking.
Noncompliant Code Example (atoi()
)
This noncompliant code example converts the string token stored in the static array buff
to a signed integer value using the atoi()
function.
int si; if (argc > 1) { si = atoi(argv[1]); }
The atoi()
, atol()
, and atoll()
functions convert the initial portion of a string token to int
, long int
, and long long int
representation, respectively. Except for the behavior on error, they are equivalent to
atoi: (int)strtol(nptr, (char **)NULL, 10) atol: strtol(nptr, (char **)NULL, 10) atoll: strtoll(nptr, (char **)NULL, 10)
Unfortunately, atoi()
and related functions lack a mechanism for reporting errors for invalid values. Specifically, the atoi()
, atol()
, and atoll()
functions
- do not need to set
errno
on an error - have undefined behavior if the value of the result cannot be represented
- return 0 if the string does not represent an integer, which is indistinguishable from a correctly formatted, zero-denoting input string.
Compliant Solution (strtol()
)
The strtol()
, strtoll()
, strtoul()
, and strtoull()
functions convert a null-terminated byte string to long int
, long long int
, unsigned long int
, and unsigned long long int
representation, respectively.
This compliant solution uses strtol()
to convert a string token to an integer and ensures that the value is in the range of int
.
long sl; int si; char *end_ptr; if (argc > 1) { errno = 0; sl = strtol(argv[1], &end_ptr, 10); if ((sl == LONG_MIN) || (sl == LONG_MAX) || (end_ptr == argv[1])) { if (errno != 0) { perror("strtol error"); } else { if (puts("error encountered during conversion") == EOF) { /* Handle Error */ } } } else if (sl > INT_MAX) { printf("%ld too large!\n", sl); } else if (sl < INT_MIN) { printf("%ld too small!\n", sl); } else if ('\0' != *end_ptr) { if (puts("extra characters on input line\n") == EOF) { /* Handle Error */ } } else { si = (int)sl; } }
Both the non-compliant code example and compliant solution are taken from INT06-C. Use strtol() or a related function to convert a string token to an integer.
Noncompliant Code Example (rewind()
)
This noncompliant code example sets the file position indicator of an input stream back to the beginning using rewind()
.
char *file_name; FILE *fp; /* initialize file_name */ fp = fopen(file_name, "r"); if (fp == NULL) { /* Handle open error */ } /* read data */ rewind(fp); /* continue */
However, it is impossible to determine if rewind()
succeeded.
Compliant Solution (fseek()
)
This compliant solution uses fseek()
instead of rewind()
and checks to see if the operation succeeded.
char *file_name; FILE *fp; /* initialize file_name */ fp = fopen(file_name, "r"); if (fp == NULL) { /* Handle open error */ } /* read data */ if (fseek(fp, 0L, SEEK_SET) != 0) { /* Handle repositioning error */ } /* continue */
Both the non-compliant code example and compliant solution are taken from FIO07-C. Prefer fseek() to rewind().
Noncompliant Code Example (setbuf()
This noncompliant code example calls setbuf()
with a buf
argument of NULL
.
FILE *file; /* Setup file */ setbuf(file, NULL); /* ... */
It is not possible to determine if the call to setbuf()
succeeded.
Implementation Details
On 4.2BSD and 4.3BSD systems, setbuf()
always uses a suboptimal buffer size and should be avoided.
Compliant Solution (setvbuf()
)
This compliant solution calls setvbuf()
, which returns nonzero if the operation failed.
FILE *file; char *buf = NULL; /* Setup file */ if (setvbuf(file, buf, buf ? _IOFBF : _IONBF, BUFSIZ) != 0) { /* Handle error */ } /* ... */
Both the non-compliant code example and compliant solution are taken from FIO07-C. Prefer fseek() to rewind().
Risk Assessment
While it is rare for a violation of this rule to result in a security vulnerability, it can easily result in lost or misinterpreted data.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
INT06-C |
medium |
probable |
medium |
P8 |
L2 |
Automated Detection
This rule in general cannot be detected, although various examples can be detected by simply scanning for functions that have equivalent functions with better error handling.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Klein 02]]
[[ISO/IEC 9899:1999]] Section 7.20.1.4, "The strtol
, strtoll
, strtoul
, and strtoull
functions," Section 7.20.1.2, "The atoi
, atol
, and atoll
functions," Section 7.19.6.7, "The sscanf
function," Section 7.19.5.5, "The setbuf
function", Section 7.19.9.2, "The fseek function"; 7.19.9.5, and "The rewind function"
[[MITRE 07]] CWE ID 676, "Use of Potentially Dangerous Function," and CWE ID 20, "Insufficient Input Validation"
12. Error Handling (ERR) ERR30-C. Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure