Do not use deprecated or obsolsecent functions when more secure equivalent functions are available.
Deprecated functions are defined by the C99 standard and Technical Corrigenda. Obsolescent functions are defined by this guideline.
Deprecated Functions
The gets() function was deprecated by Technical Corrigendum 3.
Obsolescent Functions
The following functions are obsolescent.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Noncompliant Code Example
In this noncompliant code example, strcat() and strcpy() are used.
enum { BUFFERSIZE=256 };
void complain(const char *msg) {
static const char prefix[] = "Error: ";
static const char suffix[] = "\n";
char buf[BUFFERSIZE];
strcpy(buf, prefix);
strcat(buf, msg);
strcat(buf, suffix);
fputs(buf, stderr);
}
Compliant Solution
In this compliant solution, strcat() and strcpy() are replaced by strcat_s() and strcpy_s().
enum { BUFFERSIZE=256 };
void complain(const char *msg) {
static const char prefix[] = "Error: ";
static const char suffix[] = "\n";
char buf[BUFFERSIZE];
strcpy_s(buf, BUFFERSIZE, prefix);
strcat_s(buf, BUFFERSIZE, msg);
strcat_s(buf, BUFFERSIZE, suffix);
fputs(buf, stderr);
}
Risk Assessment
The deprecated and obsolescent enumerated in this guideline are commonly associated with software vulnerabilities.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MSC33-C |
high |
high |
medium |
P9 |
L2 |
Automated Detection
Unknown.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
MSC32-C. Ensure your random number generator is properly seeded 49. Miscellaneous (MSC) 50. POSIX (POS)