CERT C: Rule FIO32-C

Do not perform operations on devices that are only appropriate for files

expand all in page

Description

Rule Definition

Do not perform operations on devices that are only appropriate for files.¹

Polyspace Implementation

The rule checker checks for Inappropriate I/O operation on device files.

Examples

expand all

Inappropriate I/O operation on device files

Issue

Inappropriate I/O operation on device files occurs when you do not check whether a file name parameter refers to a device file before you pass it to these functions:

fopen()
fopen_s()
freopen()
remove()
rename()
CreateFile()
CreateFileA()
CreateFileW()
_wfopen()
_wfopen_s()

Device files are files in a file system that provide an interface to device drivers. You can use these files to interact with devices.

Inappropriate I/O operation on device files does not raise a defect when:

You use stat or lstat-family functions to check the file name parameter before calling the previously listed functions.
You use a string comparison function to compare the file name against a list of device file names.

Risk

Operations appropriate only for regular files but performed on device files can result in denial-of-service attacks, other security vulnerabilities, or system failures.

Fix

Before you perform an I/O operation on a file:

Use stat(), lstat(), or an equivalent function to check whether the file name parameter refers to a regular file.
Use a string comparison function to compare the file name against a list of device file names.

Example - Using fopen() Without Checking file_name

#include <stdio.h>
#include <string.h>

#define SIZE1024 1024

FILE* func()
{

    FILE* f;
    const char file_name[SIZE1024] = "./tmp/file";
    
    if ((f = fopen(file_name, "w")) == NULL) { //Noncompliant
        /*handle error */
    };
    /*operate on file */
}

In this example, func() operates on the file file_name without checking whether it is a regular file. If file_name is a device file, attempts to access it can result in a system failure.

Correction — Check File with lstat() Before Calling fopen()

One possible correction is to use lstat() and the S_ISREG macro to check whether the file is a regular file. This solution contains a TOCTOU race condition that can allow an attacker to modify the file after you check it but before the call to fopen(). To prevent this vulnerability, ensure that file_name refers to a file in a secure folder.

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>

#define SIZE1024 1024

FILE* func()
{

    FILE* f;
    const char file_name[SIZE1024] = "./tmp/file";
    struct stat orig_st;
    if ((lstat(file_name, &orig_st) != 0) ||
        (!S_ISREG(orig_st.st_mode))) {
        exit(0);
    }
    if ((f = fopen(file_name, "w")) == NULL) {
        /*handle error */
    };
    /*operate on file */
}

Check Information

Group: Rule 09. Input Output (FIO)

Version History

Introduced in R2019a

¹ This software has been created by MathWorks incorporating portions of: the “SEI CERT-C Website,” © 2017 Carnegie Mellon University, the SEI CERT-C++ Web site © 2017 Carnegie Mellon University, ”SEI CERT C Coding Standard – Rules for Developing safe, Reliable and Secure systems – 2016 Edition,” © 2016 Carnegie Mellon University, and “SEI CERT C++ Coding Standard – Rules for Developing safe, Reliable and Secure systems in C++ – 2016 Edition” © 2016 Carnegie Mellon University, with special permission from its Software Engineering Institute.

ANY MATERIAL OF CARNEGIE MELLON UNIVERSITY AND/OR ITS SOFTWARE ENGINEERING INSTITUTE CONTAINED HEREIN IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This software and associated documentation has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute.