JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.2p0 | CONFIDENTIAL | CodeSecure Inc |
A function that should have a format string passed in a particular argument position has been passed a string that is not a trustworthy format string.
For the sake of this warning class, a string is considered to be a trustworthy format string if it is const or a string literal.
This class is a strict superset of Format String Injection.
| Class Name | Format String | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Significance | security | ||||||||||||||||||||||||
| Mnemonic | MISC.FMT | ||||||||||||||||||||||||
| Categories |
|
||||||||||||||||||||||||
| Availability | Available for C and C++. |
||||||||||||||||||||||||
| Enabling | Checks for this warning class are enabled by
default. To disable them, add the following WARNING_FILTER rule to the
project configuration file.
WARNING_FILTER += discard class="Format String" |
Japanese (ja)
#include <stdio.h>
#include <string.h>
void param_as_fmt(char *instr){
char buf[12];
if (strlen(instr) < 11) return;
strncpy(buf, instr, 11);
memset(buf, '\0', 11);
printf(buf); /* 'Format String' warning issued here
* - first argument to printf() is a non-const string
*/
}
void param_with_fmt(char *instr){
char buf[12];
if (strlen(instr) < 11) return;
strncpy(buf, instr, 11);
memset(buf, '\0', 11);
printf("%s", buf); /* ok: first argument to printf() is a string literal */
}
Untrusted or omitted format strings may not cause any problems during normal running of software, but they nonetheless represent a security vulnerability. In the example shown no problems will arise so long as the string read from standard input is actually a person's name, but an attacker might instead provide the input "%x %x %x %x" (a format string, but not from a trusted source). There are no unsigned integer (%x) arguments provided in this call to printf, but because printf can take a variable number of arguments this does not cause a problem. Instead the program simply computes the stack offset where additional arguments would have been located, had there been any, and prints four unsigned integers starting from that position. Because there were no additional arguments those stack locations will contain other, potentially sensitive data that has now been revealed to the attacker.
In the worst case format string attacks can crash the program, cause malicious code to be executed or allow the attacker to gain root privileges.
For all procedures, CodeSonar uses a statistical analysis to determine whether a format string is expected in a particular parameter position. The sensitivity of this analysis is controlled by the FORMAT_STRING_CHECKER_RATIO and FORMAT_STRING_CHECKER_CONFIDENCE parameters.
The following configuration file parameters affect checks for this warning class.
To report problems with this documentation, please visit https://support.codesecure.com/.