JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.0p0 Hot Tips | CONFIDENTIAL | CodeSecure Inc |
A potentially-tainted value is used in a format string argument.
This class is a strict subset of Format String.
| Class Name | Format String Injection | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Significance | security | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Mnemonic | IO.INJ.FMT | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Categories |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Availability | Available for C and C++. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Enabling | Checks for this warning class are enabled by
default. To disable them, add the following WARNING_FILTER rule to the
project configuration file.
WARNING_FILTER += discard class="Format String Injection" |
Japanese (ja)
#include <stdio.h>
void tainted_input_as_fmt(void){
char greeting[18] = "hello";
char buf[12];
printf("what is your name?\n");
if (!fgets(buf, 12, stdin)) return;
printf(buf); /* 'Format String Injection' warning issued here
* - first argument to printf() has file taint
* ('Format String' warning also issued here)
*/
}
void tainted_input_with_fmt(void){
char greeting[18] = "hello";
char buf[12];
printf("what is your name?\n");
if (!fgets(buf, 12, stdin)) return;
printf("%s", buf); /* ok: first argument to printf() is a string literal */
}
Untrusted or omitted format strings may not cause any problems during normal running of software, but they nonetheless represent a security vulnerability. In the example shown no problems will arise so long as the string read from standard input is actually a person's name, but an attacker might instead provide the input "%x %x %x %x" (a format string, but not from a trusted source). There are no unsigned integer (%x) arguments provided in this call to printf, but because printf can take a variable number of arguments this does not cause a problem. Instead the program simply computes the stack offset where additional arguments would have been located, had there been any, and prints four unsigned integers starting from that position. Because there were no additional arguments those stack locations will contain other, potentially sensitive data that has now been revealed to the attacker.
In the worst case format string attacks can crash the program, cause malicious code to be executed or allow the attacker to gain root privileges.
CodeSonar ships with library models that allow it to recognize a large number of functions that take a format string parameter. Some examples are shown in the table below. If one of these functions is called with a tainted value in the format string parameter position, a warning will be issued.
If you have created a custom library model for some function f() in terms of one of these existing models, calls to f() will also be capable of triggering Format String Injection warnings.
| Functions that can trigger warnings include... | |
|---|---|
| Apache Portable Runtime (APR) | apr_psprintf(), apr_pvsprintf() |
| gcc Builtins | __builtin___fprintf_chk(), __builtin_snprintf() |
| libc | fprintf(), syslog() |
| Win32 | StringCchVPrintfA(), StringCchVPrintfW(), vsprintf_s() |
The following configuration file parameters affect checks for this warning class.