CWE Rule 242
Description
The program calls a function that can never be guaranteed to work safely.
Polyspace Implementation
The rule checker checks for these issues:
Use of dangerous standard function
Use of obsolete standard function
Examples
This issue occurs when your code uses standard functions that write data to a buffer in a way that can result in buffer overflows.
The following table lists dangerous standard functions, the risks of using each function, and what function to use instead. The checker flags:
Any use of an inherently dangerous function.
An use of a possibly dangerous function only if the size of the buffer to which data is written can be determined at compile time. The checker does not flag an use of such a function with a dynamically allocated buffer.
| Dangerous Function | Risk Level | Safer Function |
|---|---|---|
gets
| Inherently dangerous — You cannot control the length of input from the console. |
fgets
|
std::cin::operator>> and
std::wcin::operator>> | Inherently dangerous — You cannot control the length of input from the console. |
Preface calls to To avoid potential
buffer overflow and truncated input, use
|
strcpy
| Possibly dangerous — If the size of the destination buffer is too small to accommodate the source buffer and a null terminator, a buffer overflow might occur. | Use the function strlen() to determine the size of the source buffer, and allocate sufficient memory so that the destination buffer can accommodate the source buffer and a null terminator. Instead of strcpy, use the function strncpy. |
stpcpy
| Possibly dangerous — If the source length is greater than the destination, buffer overflow can occur. |
stpncpy
|
lstrcpy or StrCpy | Possibly dangerous — If the source length is greater than the destination, buffer overflow can occur. |
StringCbCopy, StringCchCopy,
strncpy, strcpy_s, or
strlcpy |
strcat
| Possibly dangerous — If the concatenated result is greater than the destination, buffer overflow can occur. |
strncat, strlcat, or
strcat_s |
lstrcat or StrCat | Possibly dangerous — If the concatenated result is greater than the destination, buffer overflow can occur. |
StringCbCat, StringCchCat,
strncay, strcat_s, or
strlcat |
wcpcpy
| Possibly dangerous — If the source length is greater than the destination, buffer overflow can occur. |
wcpncpy
|
wcscat
| Possibly dangerous — If the concatenated result is greater than the destination, buffer overflow can occur. |
wcsncat, wcslcat, or
wcncat_s |
wcscpy
| Possibly dangerous — If the source length is greater than the destination, buffer overflow can occur. |
wcsncpy
|
sprintf
| Possibly dangerous — If the output length depends on unknown lengths or values, buffer overflow can occur. |
snprintf
|
vsprintf
| Possibly dangerous — If the output length depends on unknown lengths or values, buffer overflow can occur. |
vsnprintf
|
These functions can cause buffer overflow, which attackers can use to infiltrate your program.
The fix depends on the root cause of the defect. See fixes in the table above and code examples with fixes below.
If you do not want to fix the issue, add comments to your result or code to avoid another review. See:
Address Polyspace Results Through Bug Fixes or Justifications if you review results in the Polyspace user interface.
Address Results in Polyspace Access Through Bug Fixes or Justifications (Polyspace Access) if you review results in a web browser.
Annotate Code and Hide Known or Acceptable Results if you review results in an IDE.
#include <stdio.h>
#include <string.h>
#include <iostream>
#define BUFF_SIZE 128
int dangerous_func(char *str)
{
char dst[BUFF_SIZE];
int r = 0;
if (sprintf(dst, "%s", str) == 1) //Noncompliant
{
r += 1;
dst[BUFF_SIZE-1] = '\0';
}
return r;
}This example function uses sprintf to copy
the string str to dst. However,
if str is larger than the buffer, sprintf can
cause buffer overflow.
snprintf with Buffer
SizeOne possible correction is to use snprintf instead
and specify a buffer size.
#include <stdio.h>
#include <string.h>
#include <iostream>
#define BUFF_SIZE 128
int dangerous_func(char *str)
{
char dst[BUFF_SIZE];
int r = 0;
if (snprintf(dst, sizeof(dst), "%s", str) == 1)
{
r += 1;
dst[BUFF_SIZE-1] = '\0';
}
return r;
}This issue occurs when you use standard function routines that are considered legacy, removed, deprecated, or obsolete by C/C++ coding standards.
| Obsolete Function | Standards | Risk | Replacement Function |
|---|---|---|---|
asctime
| Deprecated in POSIX.1-2008 | Not thread-safe. |
strftime or asctime_s |
asctime_r
| Deprecated in POSIX.1-2008 | Implementation based on unsafe
function sprintf. |
strftime or asctime_s |
bcmp
|
Deprecated in 4.3BSD Marked as legacy in POSIX.1-2001. | Returns from function after finding the first differing byte, making it vulnerable to timing attacks. |
memcmp
|
bcopy
|
Deprecated in 4.3BSD Marked as legacy in POSIX.1-2001. | Returns from function after finding the first differing byte, making it vulnerable to timing attacks. |
memcpy or memmove |
brk and sbrk | Marked as legacy in SUSv2 and POSIX.1-2001. |
malloc
| |
bsd_signal
| Removed in POSIX.1-2008 |
sigaction
| |
bzero
| Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. |
memset
| |
ctime
| Deprecated in POSIX.1-2008 | Not thread-safe. |
strftime or asctime_s |
ctime_r
| Deprecated in POSIX.1-2008 | Implementation based on unsafe
function sprintf. |
strftime or asctime_s |
cuserid
| Removed in POSIX.1-2001. | Not reentrant. Precise functionality not standardized causing portability issues. |
getpwuid
|
ecvt and fcvt | Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008 | Not reentrant |
snprintf
|
ecvt_r and fcvt_r | Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008 |
snprintf
| |
ftime
| Removed in POSIX.1-2008 |
time, gettimeofday, clock_gettime | |
gamma, gammaf, gammal | Function not specified in any standard because of historical variations | Portability issues. |
tgamma, lgamma |
gcvt
| Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. |
snprintf
| |
getcontext
| Removed in POSIX.1-2008. | Portability issues. | Use POSIX thread instead. |
getdtablesize
| BSD API function not included in POSIX.1-2001 | Portability issues. |
sysconf( _SC_OPEN_MAX )
|
gethostbyaddr
| Removed in POSIX.1-2008 | Not reentrant |
getaddrinfo
|
gethostbyname
| Removed in POSIX.1-2008 | Not reentrant |
getnameinfo
|
getpagesize
| BSD API function not included in POSIX.1-2001 | Portability issues. |
sysconf( _SC_PAGESIZE )
|
getpass
| Removed in POSIX.1-2001. | Not reentrant. |
getpwuid
|
getw
| Not present in POSIX.1-2001. |
fread
| |
getwd
| Marked legacy in POSIX.1-2001. Removed in POSIX.1-2008. |
getcwd
| |
index
| Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. |
strchr
| |
makecontext
| Removed in POSIX.1-2008. | Portability issues. | Use POSIX thread instead. |
memalign
| Appears in SunOS 4.1.3. Not in 4.4 BSD or POSIX.1-2001 |
posix_memalign
| |
mktemp
| Removed in POSIX.1-2008. | Generated names are predictable and can cause a race condition. |
mkstemp removes race risk |
pthread_attr_getstackaddr and pthread_attr_setstackaddr
| Ambiguities in the specification of the stackaddr attribute
cause portability issues |
pthread_attr_getstack and pthread_attr_setstack
| |
putw
| Not present in POSIX.1-2001. | Portability issues. |
fwrite
|
qecvt and qfcvt | Marked as legacy in POSIX.1-2001, removed in POSIX.1-2008 |
snprintf
| |
qecvt_r and qfcvt_r | Marked as legacy in POSIX.1-2001, removed in POSIX.1-2008 |
snprintf
| |
rand_r
| Marked as obsolete in POSIX.1-2008 | ||
re_comp
| BSD API function | Portability issues |
regcomp
|
re_exes
| BSD API function | Portability issues |
regexec
|
rindex
| Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. |
strrchr
| |
scalb
| Removed in POSIX.1-2008 |
scalbln, scalblnf, or scalblnl | |
sigblock
| 4.3BSD signal API whose origin is unclear |
sigprocmask
| |
sigmask
| 4.3BSD signal API whose origin is unclear |
sigprocmask
| |
sigsetmask
| 4.3BSD signal API whose origin is unclear |
sigprocmask
| |
sigstack
| Interface is obsolete and not implemented on most platforms. | Portability issues. |
sigaltstack
|
sigvec
| 4.3BSD signal API whose origin is unclear |
sigaction
| |
swapcontext
| Removed in POSIX.1-2008 | Portability issues. | Use POSIX threads. |
tmpnam and tmpnam_r | Marked as obsolete in POSIX.1-2008. | This function generates a different string each time it is called, up to TMP_MAX times. If it is called more than TMP_MAX times, the behavior is implementation-defined. |
mkstemp, tmpfile |
ttyslot
| Removed in POSIX.1-2001. | ||
ualarm
| Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. | Errors are under-specified |
setitimer or POSIX timer_create |
usleep
| Removed in POSIX.1-2008. |
nanosleep
| |
utime
| SVr4, POSIX.1-2001. POSIX.1-2008 marks as obsolete. | ||
valloc
|
Marked as obsolete in 4.3BSD. Marked as legacy in SUSv2. Removed from POSIX.1-2001 |
posix_memalign
| |
vfork
|
Removed from POSIX.1-2008 | Under-specified in previous standards. |
fork
|
wcswcs
| This function was not included in the final ISO/IEC 9899:1990/Amendment 1:1995 (E). |
wcsstr
| |
WinExec
| WinAPI provides this function only for 16-bit Windows compatibility. |
CreateProcess
| |
LoadModule
| WinAPI provides this function only for 16-bit Windows compatibility. |
CreateProcess
|
The fix depends on the root cause of the defect. See fixes in the table above and code examples with fixes below.
If you do not want to fix the issue, add comments to your result or code to avoid another review. See:
Address Polyspace Results Through Bug Fixes or Justifications if you review results in the Polyspace user interface.
Address Results in Polyspace Access Through Bug Fixes or Justifications (Polyspace Access) if you review results in a web browser.
Annotate Code and Hide Known or Acceptable Results if you review results in an IDE.
#include <stdio.h>
#include <time.h>
void timecheck_bad(int argc, char *argv[])
{
time_t ticks;
ticks = time(NULL);
printf("%.24s\r\n", ctime(&ticks)); //Noncompliant
}In this example, the function ctime formats
the current time and prints it out. However, ctime was
removed after C99 because it does not work on multithreaded programs.
One possible correction is to use strftime instead
because this function uses a set buffer size.
#include <stdio.h>
#include <string.h>
#include <time.h>
void timecheck_good(int argc, char *argv[])
{
char outBuff[1025];
time_t ticks;
struct tm * timeinfo;
memset(outBuff, 0, sizeof(outBuff));
ticks = time(NULL);
timeinfo = localtime(&ticks);
strftime(outBuff,sizeof(outBuff),"%I:%M%p.",timeinfo);
fprintf(stdout, outBuff);
}Check Information
| Category: API / Function Errors |
PQL Name:
std.cwe_native.R242
|
Version History
Introduced in R2023a
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
Select a Web Site
Choose a web site to get translated content where available and see local events and offers. Based on your location, we recommend that you select: .
You can also select a web site from the following list
How to Get Best Site Performance
Select the China site (in Chinese or English) for best site performance. Other MathWorks country sites are not optimized for visits from your location.
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)