You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 30 Next »

Do not use functions that input character data and convert the data if these functions cannot handle all possible inputs. For example, formatted input functions such as scanf(), fscanf(), vscanf(), and vfscanf() can be used to read string data from stdin or (in the cases of fscanf() and vfscanf()) other input stream. These functions work fine for valid integer values but lack robust error handling for invalid values.

Instead of these functions, try inputing the value as a string and then converting it to an integer value using strtol() or a related function [[INT06-A. Use strtol() to convert a string token to an integer]].

Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.

Risk Assessment

While it is relatively rare for a violation of this rule to result in a security vulnerability, it could more easily result in loss or misinterpreted data.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

INT05-A

2 (medium)

2 (probable)

1 (high)

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Klein 02]]
[[ISO/IEC 9899-1999]] Section 7.20.1.4, "The strtol, strtoll, strtoul, and strtoull functions," and Section 7.19.6, "Formatted input/output functions"

  • No labels