SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Never call any formatted I/O function with a format string containing user input.

If the user can control a format string, they can write to arbitrary memory locations.  The most common form of this error is in output operation.  The rarely used and often forgotten %n format specification causes the number of characters written to be written to a pointer passed on the stack.

Non-compliant Code Example 1

In the following example, the input is outputted directly as a format string.  By putting %n in the input, the user can write arbitrary values to the whatever the stack happens to point to.  This can frequently be leveraged to execute arbitrary code.  In any case, by including other point operations (such as %s), fprintf will interpret values on the stack as pointers.  This can be used to learn secret information and almost certainly can be used to crash the program.

char input[1000];
fgets(input, sizeof(input)-1, stdin);
input[sizeof(input)-1] = '\0';
fprintf(stdout, input);

Non-complaint Code Example 2

In the following example, the library function syslog() interprets the string msg as a format string, resulting the same security problem as before.  This is not an uncommon idiom when you want to display the same message multiple locations or the message is difficult to build.

void check_password(char \*user, char \*password) {
  if (strcmpy(password(user), password) \!= 0) {
    char \*msg = malloc(strlen(user) + 100);
    sprintf (msg, "Wrong password for user %s", user);
    syslog(LOG_INFO, msg);
    free(msg);
  }
}

Complaint Code Example 1

The following example outputs the string directly instead of building it and then outputting it.

void check_password(char \*user, char \*password) {
  if (strcmpy(password(user), password) \!= 0) {
    fprintf (stderr, "Wrong password for user %s", user);
  }
}

Complaint code Example 2

In this example, the message is built normally, but is then outputted as a string instead of a format string.

void check_password(char \*user, char \*password) {
  if (strcmpy(password(user), password) \!= 0) {
    char \*msg = malloc(strlen(user) + 100);
    sprintf (msg, "Wrong password for user %s", user);
    fprintf (stderr, "%s", user);
    syslog(LOG_INFO, "%s", msg);
    free(msg);
  }
}
  • No labels