Skip to main content

IAR Embedded Workbench for RX 5.20

CERT-FIO30-C

In this section:
Synopsis

Exclude user input from format strings.

Enabled by default

Yes

Severity/Certainty

High/High

highhigh.png
Full description

Never call a formatted I/O function with a format string containing a tainted value. An attacker who can fully or partially control the contents of a format string can crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location. Consequently, the attacker can execute arbitrary code with the permissions of the vulnerable process [Seacord 2013b]. This check is identical to SEC-STRING-format-string.

Coding standards
CERT FIO30-C

Exclude user input from format strings

Code examples

The following code example fails the check and will give a warning:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void incorrect_password(const char *user) {
    int ret;
    /* User names are restricted to 256 or fewer characters */
    static const char msg_format[] = "%s cannot be authenticated.\n";
    size_t len = strlen(user) + sizeof(msg_format);
    char *msg = (char *)malloc(len);
    if (msg == NULL) {
        /* Handle error */
    }
    ret = snprintf(msg, len, msg_format, user);
    if (ret < 0) {
        /* Handle error */
    } else if (ret >= len) {
        /* Handle truncated output */
    }
    fprintf(stderr, msg);
    free(msg);
}

void example(void) {
    char passwd[256];
    gets(passwd); /* User input */
    incorrect_password(passwd);
}

The following code example passes the check and will not give a warning about this issue:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void incorrect_password(const char *user) {
    int ret;
    /* User names are restricted to 256 or fewer characters */
    static const char msg_format[] = "%s cannot be authenticated.\n";
    size_t len = strlen(user) + sizeof(msg_format);
    char *msg = (char *)malloc(len);
    if (msg == NULL) {
        /* Handle error */
    }
    ret = snprintf(msg, len, msg_format, user);
    if (ret < 0) {
        /* Handle error */
    } else if (ret >= len) {
        /* Handle truncated output */
    }
    fputs(msg, stderr);
    free(msg);
}

void example(void) {
    char passwd[256];
    gets(passwd); /* User input */
    incorrect_password(passwd);
}