MISRAC2012-Dir-4.14_j
In this section:
Synopsis
(Required) The validity of values received from external sources shall be checked.
Enabled by default
Yes
Severity/Certainty
Medium/Medium
Full description
User input is improperly used in an LDAP query.
Coding standards
- MISRA C:2012 Dir-4.14
(Required) The validity of values received from external sources shall be checked
Code examples
The following code example fails the check and will give a warning:
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
void example(void * ld, void *base, void *scope, char **attrs, int attrsonly) {
char *name;
char *query;
name = gets(name);
strcpy(query, "cn=\"");
strcat(query, name);
strcat(query, "\"");
ldap_search(ld, base, scope, query, attrs, attrsonly);
}
The following code example passes the check and will not give a warning about this issue:
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
void example(void * ld, void *base, void *scope, char **attrs, int attrsonly) {
char *name;
char *query = getenv("MY_QUERY");
query = attrs[0];
ldap_search(ld, base, scope, query, attrs, attrsonly);
}