Do not use deprecated or Obsolete functions when more secure equivalent functions are available. Deprecated functions are defined by the C Standard. Obsolete functions are typically functions for which there are more secure or portable alternatives available and are defined by this rule.
Deprecated Functions
The gets function was deprecated by Technical Corrigendum 3 to C99 and eliminated from C1X.
Obsolete Functions
Functions in the first column of the following table are hereby defined to be Obsolete functions. To remediate invocations of Obsolete functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative non-Obsolete functions.
Obsolete | Recommended | Rationale |
|---|---|---|
|
| Non-reentrant. |
|
| No error detection. |
|
| No error detection. |
|
| No error detection. |
|
| No error detection. |
|
| Non-reentrant. |
|
| No exclusive access to file. |
|
| No exclusive access to file. |
|
| No error detection. |
|
| No error detection. |
The atof, atoi, atol, and atoll functions are Obsolete because the strod, strtof, strtol, strtold, strtoll, strotul, and strtoull functions can emulate their usage and have more robust error handling capabilities. See guideline INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs [CERT C Secure Coding Standard 2010].
The fopen and freopen functions are Obsolete because the fopen_s and freopen_s functions can emulate their usage and improve security by protecting the file from unauthorized access by setting its file protection and opening the file with exclusive access [ISO/IEC WG14 N1173].
The setbuf function is Obsolete because setbuf does not return a value and can be emulated using setvbuf. See guideline FIO12-C. Prefer setvbuf() to setbuf() [CERT C Secure Coding Standard 2010].
The rewind function is Obsolete because rewind does not return a value and can be emulated using fseek. See guideline FIO07-C. Prefer fseek() to rewind() [CERT C Secure Coding Standard 2010].
The asctime and ctime functions are Obsolete because they use non-reentrant static buffers and can be emulated using asctime_s and ctime_s.
Unchecked Obsolete Functions
The following are hereby defined to be unchecked Obsolete functions:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To remediate invocations of unchecked Obsolete functions, an application might use inline coding that, in all respects, conforms to this guideline, or an alternative library that, in all respects, conforms to this guideline, or alternative non-Obsolete functions from ISO/IEC TR 24731 (Part 1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
or alternative non-Obsolete functions from ISO/IEC DTR 24731-2 (Part 2)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Noncompliant Code Example
In this noncompliant code example, the Obsolete functions strcat and strcpy are used.
void complain(const char *msg) {
static const char prefix[] = "Error: ";
static const char suffix[] = "\n";
char buf[BUFSIZE];
strcpy(buf, prefix);
strcat(buf, msg);
strcat(buf, suffix);
fputs(buf, stderr);
}
Compliant Solution
In this compliant solution, strcat() and strcpy() are replaced by strcat_s() and strcpy_s().
enum { BUFFERSIZE=256 };
void complain(const char *msg) {
static const char prefix[] = "Error: ";
static const char suffix[] = "\n";
char buf[BUFFERSIZE];
strcpy_s(buf, BUFFERSIZE, prefix);
strcat_s(buf, BUFFERSIZE, msg);
strcat_s(buf, BUFFERSIZE, suffix);
fputs(buf, stderr);
}
Noncompliant Code Example
In this noncompliant code example, the Obsolete function setbuf is used.
FILE *file; /* Setup file */ setbuf(file, NULL); /* ... */
Compliant Solution
In this compliant solution.
Noncompliant Code Example
In this noncompliant code example, tmpnam is used.
char file_name[L_tmpnam];
FILE *fp;
if (!tmpnam(file_name)) {
/* Handle error */
}
/* A TOCTOU race condition exists here */
fp = fopen(file_name, "wb+");
if (fp == NULL) {
/* Handle error */
}
Compliant Solution
In this compliant solution.
Noncompliant Code Example
In this noncompliant code example, tmpfile is used.
FILE *fp = tmpfile();
if (fp == NULL) {
/* Handle error */
}
Compliant Solution
In this compliant solution.
Exceptions
MSC34-EX1: If an out-of-bounds store cannot occur in a specific invocation of a function, the invocation of that function is permitted by this rule. The rationale for this exception is that the simple use of such a function in a program does not mean that the program is incorrect. A requirement to eliminate the use of such a function requires that the programmer replace calls to the deprecated or obsolete function with calls to the alternative functions. Unfortunately, the process of modifying existing code frequently introduces defects and vulnerabilities and is therefore not recommended. New code should be developed in conformance to this guideline, however.
Risk Assessment
The deprecated and Obsolete enumerated in this guideline are commonly associated with software vulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC34-C | high | probable | medium | P12 | L1 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC 9899:1999 Section 7.19.3, "Files," and Section 7.19.4, "Operations on Files," Section 7.19.5.5, "The setbuf function"; 7.19.9.2, "The fseek function"; 7.19.9.5 "The rewind function"; and 7.21, "String handling <string.h>," Section 7.20.1.4, "The strtol, strtoll, strtoul, and strtoull functions," and Section 7.19.6, "Formatted input/output functions," Section 7.21.5.8, "The strtok function"
ISO/IEC JTC1/SC22/WG11 Rationale for TR 24731 Extensions to the C Library Part I: Bounds-checking interfaces
ISO/IEC TR 24772 "TRJ Use of Libraries"
MISRA Rule 20.4
MITRE CWE: CWE-73 "External Control of File Name or Path, "CWE-367, "Time-of-check Time-of-use Race Condition," CWE-676, "Use of Potentially Dangerous Function," CWE-192, "Integer Coercion Error," CWE-197, "Numeric Truncation Error," CWE-464, "Addition of Data Structure Sentinel," CWE-676, "Use of Potentially Dangerous Function," and CWE-20, "Insufficient Input Validation"
Bibliography
[Burch 2006]
[CERT 2006c]
[Seacord 2005a] Chapter 2, "Strings"
Bibliography
[Apple Secure Coding Guide] "Avoiding Race Conditions and Insecure File Operations"
[CERT C Secure Coding Standard 2010]"MSC34-C. Do not use deprecated or obsolete functions", "FIO01-C. Be careful using functions that use file names for identification", "FIO07-C. Prefer fseek() to rewind()", "FIO12-C. Prefer setvbuf() to setbuf()", "INT05-C. Do not use input functions to convert character data if they cannot handle all possible inputs", "INT06-C. Use strtol() or a related function to convert a string token to an integer", "STR06-C. Do not assume that strtok() leaves the parse string unchanged", "STR07-C. Use TR 24731 for remediation of existing string manipulation code"
[Drepper 2006] Section 2.2.1 "Identification When Opening"
[Klein 2002]
[Linux 2007] strtok(3)
[Open Group 2004] "The open function"
[Seacord 2005a] Chapter 2, "Strings," and Chapter 7, "File I/O"
[Seacord 2005b]
49. Miscellaneous (MSC) MSC35-C. Do not include any executable statements inside a switch statement before the first case label