SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 25 Next »

Common mistakes in creating format strings include

  • Using invalid conversion specifiers
  • Using a length modifier on an incorrect specifier
  • Mismatching the argument and conversion specifier type
  • Using invalid character classes

The following are C99 compliant conversion specifiers [[ISO/IEC 9899:1999]]. Using any other specifier may result in undefined behavior.

d, i, o, u, x, X, f, F, e, E, g, G, a, A, c, s, p, n, %

Only some of the conversion specifiers are able to correctly take a length modifier. Using a length modifier on any specifier other than the following may result in undefined behavior.

d, i, o, u, x, X, a, A, e, E, f, F, g, G

Character class ranges must also be properly specified with a hyphen in between two printable characters. The two following lines are both properly specified. The first accepts any character from a-z, inclusive, while the second accepts anything that is not a-z, inclusive. 

[a-z]
[^a-z]

Note that the range is in terms of character code values, and on an EBCDIC platform it will include some non-alphabetic codes. Consequently the isalpha() function should be used to verify the input.

Non-Compliant Code Example

Mismatches between arguments and conversion specifiers may result in undefined behavior. Many compilers can diagnose type mismatches in formatted output function invocations.

char const *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %s): %d\n", error_type, error_msg);

Compliant Solution

This compliant solution ensures that the format arguments match their respective format specifiers.

char const *error_msg = "Resource not available to user.";
int error_type = 3;
/* ... */
printf("Error (type %d): %s\n", error_type, error_msg);

Risk Assessment

In most cases, incorrectly specified format strings will result in abnormal program termination.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO00-A

high

unlikely

medium

P6

L2

Automated Detection

The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.

GNU C allows the -Wformat compiler option that does substantial checking of formats and arguments.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899:1999]] Section 7.19.6.1, "The fprintf function"

09. Input Output (FIO)      09. Input Output (FIO)       FIO01-A. Be careful using functions that use file names for identification

  • No labels