SEC-STRING-format-string
In this section:
Synopsis
User input is used as a format string.
Enabled by default
Yes
Severity/Certainty
High/Medium
Full description
User input is used as a format string. An attacker might supply an input string that contains format tokens. Such a string can be used to read and write to arbitrary memory locations, making the attacker able to execute code, crash the application, or access sensitive information stored in memory. User input should be tested, using string comparison or similar, before being used as a format string. This check is identical to CERT-FIO30-C.
Coding standards
- CERT FIO30-C
Exclude user input from format strings
- CWE 134
Uncontrolled Format String
Code examples
The following code example fails the check and will give a warning:
#include <stdio.h>
#include <string.h>
int main(char* argc, char** argv) {
char mystring[100];
fgets(mystring, 100, stdin);
char buf[100];
snprintf(buf, sizeof buf, mystring);
return 0;
}
The following code example passes the check and will not give a warning about this issue:
#include <stdio.h>
#include <string.h>
int main(char* argc, char** argv) {
char mystring[100];
fgets(mystring, 100, stdin);
char buf[100];
snprintf(buf, sizeof buf, "%s", mystring);
return 0;
}