MISRA C:2012 Dir 4.14

The validity of values received from external sources shall be checked

Description

Directive Definition

The validity of values received from external sources shall be checked.¹

This rule comes from MISRA C™: 2012 Amendment 1.

Rationale

The values originating from external sources can be invalid because of errors or deliberate modification by attackers. Before using the data, you must check the data for validity.

For instance:

Before using an external input as an array index, you must check if the input can potentially cause an array bounds error.
Before using an external variable to control a loop, you must check if the variable can potentially result in an infinite loop.

Polyspace Implementation

The rule checker looks for these issues:

Array access with tainted index.
Command executed from externally controlled path.
Execution of externally controlled command.
Host change using externally controlled elements.
Library loaded from externally controlled path.
Loop bounded with tainted value.
Memory allocation with tainted size.
Pointer dereference with tainted offset.
Tainted division operand.
Tainted modulo operand.
Tainted NULL or non-null-terminated string.
Tainted sign change conversion.
Tainted size of variable length array.
Tainted string format.
Use of externally controlled environment variable.
Use of tainted pointer.
Using an externally obtained string without a terminating null character in places where a null-terminated string is expected. Such use might result in undefined behavior. For instance, in this code, the function printf() expects string with a terminating null character. Using the character array str, which is not terminated by a null character, results in undefined behavior.
```
    char str[10];
    scanf("%10c", str);
    printf("%s",str);//Null terminated string expected
```
Using an externally obtained indeterminate string. For instance, a string might be indeterminate if you invoke an fgets() family function to set the value of the string but the function call fails:
```
    char buffer[10];
    fgets(buffer, sizeof(buffer), stdin); //buffer is indeterminate if fgets() fails
    printf("%s",buffer); // Possible undefined behvior
```
Because the function printf() expects a string with a terminating null character, using buffer with this function can result in undefined behavior.

Troubleshooting

If you expect a rule violation but do not see it, refer to Diagnose Why Coding Standard Violations Do Not Appear as Expected.

Examples

expand all

Validity of External Values Not Checked

#include <stdio.h>

void f1(char from_user[])
{
        char input [128];
        (void) sscanf (from_user, "%128c", input);
        (void) sprintf ("%s", input);/*Noncompliant*/
}

In this example, the sscanf statement is noncompliant as there is no check to ensure that the user input is null terminated. The subsequent sprintf statement that outputs the string can potentially lead to an array bounds error (buffer overrun).

Print Invalid External Input String

In this example, the functions scanf() and fgets() read two char arrays and then print the arrays by calling printf(). Because the input strings are obtained externally, they might be indeterminate or lack a terminating null character. Printing such strings by using printf() results in undefined behavior. Polyspace^® reports violations of this rule.


#include <stdio.h>
void echo_in() {
       //...
    char buffer[10];
    scanf("%10c", buffer);
	//...
    printf("%s", buffer); //Noncompliant - buffer is not null-terminated
	//...
    fgets(buffer, sizeof(buffer), stdin);
      //...
    printf("%s",buffer); //Noncompliant - buffer might be indeterminate
}

Check Information

Group: Code design

Category: Required

AGC Category: Required

Version History

Introduced in R2017a