SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »

Common mistakes in creating format strings include

  • Using invalid conversion specifiers
  • Using a length modifier on an incorrect specifier
  • Mismatching the argument and conversion specifier type
  • Using invalid character classes

The following are C99 compliant conversion specifiers [[ISO/IEC 9899:1999]]. Using any other specifier may result in undefined behavior.

d, i, o, u, x, X, f, F, e, E, g, G, a, A, c, s, p, n, %

Only some of the conversion specifiers are able to correctly take a length modifier. Using a length modifier on any specifier other than the following may result in undefined behavior.

d, i, o, u, x, X, a, A, e, E, f, F, g, G

Character class ranges must also be properly specified with a hyphen in between two printable characters. The two following lines are both properly specified. The first accepts any character from a-z, inclusive, while the second accepts anything that is not a-z, inclusive. 

[a-z]
[FIO00-C. Take care when creating format strings^a-z]

Note that the range is in terms of character code values, and on an EBCDIC platform it will include some non-alphabetic codes. Consequently the isalpha() function should be used to verify the input.

Noncompliant Code Example

Mismatches between arguments and conversion specifiers may result in undefined behavior. Many compilers can diagnose type mismatches in formatted output function invocations.

const char *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %s): %d\n", error_type, error_msg);

Compliant Solution

This compliant solution ensures that the format arguments match their respective format specifiers.

const char *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %d): %s\n", error_type, error_msg);

Risk Assessment

In most cases, incorrectly specified format strings will result in abnormal program termination.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO00-C

high

unlikely

medium

P6

L2

Automated Detection

The LDRA tool suite V 7.6.0 can detect violations of this recommendation.

GCC Compiler can detect violations of this recommendation when the -Wformat flag is used.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899:1999]] Section 7.19.6.1, "The fprintf function"
[[MITRE 07]] CWE ID 686, "Function Call With Incorrect Argument Type"

09. Input Output (FIO)      09. Input Output (FIO)      

  • No labels