Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-1081

Insecure functions should not be used

    Details

    • Message:
      Remove the use of this insecure 'xxxxx' function.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way, MISRA C++ 2008 recommended
    • Covered Languages:
      C, C++, Objective-C
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • CERT:
      STR07-C.
    • CWE:
      CWE-676, CWE-119
    • OWASP:
      A9
    • SANS Top 25:
      Risky Resource Management

      Description

      When using typical C functions, it's up to the developer to make sure the size of the buffer to be written to is large enough to avoid buffer overflows. Buffer overflows can cause the program to crash at a minimum. At worst, a carefully crafted overflow can cause malicious code to be executed.

      This rule reports use of the following insecure functions, for which knowing the required size is not generally possible: gets() and getpw().

      In such cases. The only way to prevent buffer overflow while using these functions would be to control the execution context of the application.
      It is much safer to secure the application from within and to use an alternate, secure function which allows you to define the maximum number of characters to be written to the buffer:

      • fgets or gets_s
      • getpwuid

      Noncompliant Code Example

      gets(str); // Noncompliant; `str` buffer size is not checked and it is vulnerable to overflows
      

      Compliant Solution

      gets_s(str, sizeof(str)); // Prevent overflows by enforcing a maximum size for `str` buffer
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                loic.joly Loïc Joly
                Reporter:
                freddy.mallet Freddy Mallet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: