According to C99, Section 7.19.3 p6:
The address of the
FILE
object used to control a stream may be significant; a copy of aFILE
object need not serve in place of the original.
Consequently, do not use a copy of a FILE
object in any input/output operations.
Noncompliant Code Example
This noncompliant code example can fail because a copy of stdout
is being used in the call to fputs()
.
int main(void) { FILE my_stdout = *(stdout); if (fputs("Hello, World!\n", &my_stdout) == EOF) { /* Handle error */ } return 0; }
For example, this noncompliant example fails with an "access violation" when compiled under Microsoft Visual Studio 2005 and run under Windows.
Compliant Solution
In this compliant solution, a copy of the pointer to the FILE
object is used in the call to fputs()
.
int main(void) { FILE *my_stdout = stdout; if (fputs("Hello, World!\n", my_stdout) == EOF) { /* Handle error */ } return 0; }
Risk Assessment
Using a copy of a FILE
object in place of the original may result in a crash, which can be used in a denial-of-service attack.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
FIO38-C |
low |
probable |
medium |
P4 |
L3 |
Automated Detection
Compass/ROSE can detect simple violations of this rule.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C++ Secure Coding Standard as FIO38-CPP. Do not use a copy of a FILE object for input and output.
Bibliography
[ISO/IEC 9899:1999] Section 7.19.3, "Files"
FIO37-C. Do not assume that fgets() returns a nonempty string when successful 09. Input Output (FIO)