Main Content

CWE Rule 242

Use of Inherently Dangerous Function

Since R2023a

expand all in page

Description

Rule Description

The program calls a function that can never be guaranteed to work safely.

Polyspace Implementation

The rule checker checks for these issues:

  • Use of dangerous standard function

  • Use of obsolete standard function

Examples

expand all

Issue

This issue occurs when your code uses standard functions that write data to a buffer in a way that can result in buffer overflows.

The following table lists dangerous standard functions, the risks of using each function, and what function to use instead. The checker flags:

  • Any use of an inherently dangerous function.

  • An use of a possibly dangerous function only if the size of the buffer to which data is written can be determined at compile time. The checker does not flag an use of such a function with a dynamically allocated buffer.

Dangerous FunctionRisk LevelSafer Function
getsInherently dangerous — You cannot control the length of input from the console.fgets
std::cin::operator>> and std::wcin::operator>>Inherently dangerous — You cannot control the length of input from the console.

Preface calls to cin by cin.width to control the input length. This method can result in truncated input.

To avoid potential buffer overflow and truncated input, use std::string objects as destinations for >> operator.

strcpyPossibly dangerous — If the size of the destination buffer is too small to accommodate the source buffer and a null terminator, a buffer overflow might occur. Use the function strlen() to determine the size of the source buffer, and allocate sufficient memory so that the destination buffer can accommodate the source buffer and a null terminator. Instead of strcpy, use the function strncpy.
stpcpyPossibly dangerous — If the source length is greater than the destination, buffer overflow can occur.stpncpy
lstrcpy or StrCpyPossibly dangerous — If the source length is greater than the destination, buffer overflow can occur.StringCbCopy, StringCchCopy, strncpy, strcpy_s, or strlcpy
strcatPossibly dangerous — If the concatenated result is greater than the destination, buffer overflow can occur.strncat, strlcat, or strcat_s
lstrcat or StrCatPossibly dangerous — If the concatenated result is greater than the destination, buffer overflow can occur.StringCbCat, StringCchCat, strncay, strcat_s, or strlcat
wcpcpyPossibly dangerous — If the source length is greater than the destination, buffer overflow can occur.wcpncpy
wcscatPossibly dangerous — If the concatenated result is greater than the destination, buffer overflow can occur.wcsncat, wcslcat, or wcncat_s
wcscpyPossibly dangerous — If the source length is greater than the destination, buffer overflow can occur.wcsncpy
sprintfPossibly dangerous — If the output length depends on unknown lengths or values, buffer overflow can occur.snprintf
vsprintfPossibly dangerous — If the output length depends on unknown lengths or values, buffer overflow can occur.vsnprintf
Risk

These functions can cause buffer overflow, which attackers can use to infiltrate your program.

Fix

The fix depends on the root cause of the defect. See fixes in the table above and code examples with fixes below.

If you do not want to fix the issue, add comments to your result or code to avoid another review. See:

Example — Using sprintf
#include <stdio.h>
#include <string.h>
#include <iostream>

#define BUFF_SIZE 128


int dangerous_func(char *str)
{
    char dst[BUFF_SIZE];
    int r = 0;

    if (sprintf(dst, "%s", str) == 1)  //Noncompliant
    {
        r += 1;
        dst[BUFF_SIZE-1] = '\0';
    }
    
    return r;
}

This example function uses sprintf to copy the string str to dst. However, if str is larger than the buffer, sprintf can cause buffer overflow.

Correction — Use snprintf with Buffer Size

One possible correction is to use snprintf instead and specify a buffer size.

#include <stdio.h>
#include <string.h>
#include <iostream>

#define BUFF_SIZE 128


int dangerous_func(char *str)
{
    char dst[BUFF_SIZE];
    int r = 0;

    if (snprintf(dst, sizeof(dst), "%s", str) == 1)
    {
        r += 1;
        dst[BUFF_SIZE-1] = '\0';
    }
    
    return r;
}
Issue

This issue occurs when you use standard function routines that are considered legacy, removed, deprecated, or obsolete by C/C++ coding standards.

Obsolete FunctionStandardsRiskReplacement Function
asctimeDeprecated in POSIX.1-2008Not thread-safe.strftime or asctime_s
asctime_rDeprecated in POSIX.1-2008Implementation based on unsafe function sprintf.strftime or asctime_s
bcmp

Deprecated in 4.3BSD

Marked as legacy in POSIX.1-2001.

Returns from function after finding the first differing byte, making it vulnerable to timing attacks. memcmp
bcopy

Deprecated in 4.3BSD

Marked as legacy in POSIX.1-2001.

Returns from function after finding the first differing byte, making it vulnerable to timing attacks. memcpy or memmove
brk and sbrkMarked as legacy in SUSv2 and POSIX.1-2001. malloc
bsd_signalRemoved in POSIX.1-2008 sigaction
bzeroMarked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. memset
ctimeDeprecated in POSIX.1-2008Not thread-safe.strftime or asctime_s
ctime_rDeprecated in POSIX.1-2008Implementation based on unsafe function sprintf.strftime or asctime_s
cuseridRemoved in POSIX.1-2001.Not reentrant. Precise functionality not standardized causing portability issues.getpwuid
ecvt and fcvtMarked as legacy in POSIX.1-2001. Removed in POSIX.1-2008Not reentrantsnprintf
ecvt_r and fcvt_rMarked as legacy in POSIX.1-2001. Removed in POSIX.1-2008 snprintf
ftimeRemoved in POSIX.1-2008 time, gettimeofday, clock_gettime
gamma, gammaf, gammalFunction not specified in any standard because of historical variationsPortability issues.tgamma, lgamma
gcvtMarked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. snprintf
getcontextRemoved in POSIX.1-2008.Portability issues. Use POSIX thread instead.
getdtablesizeBSD API function not included in POSIX.1-2001Portability issues.sysconf( _SC_OPEN_MAX )
gethostbyaddrRemoved in POSIX.1-2008Not reentrantgetaddrinfo
gethostbynameRemoved in POSIX.1-2008Not reentrantgetnameinfo
getpagesizeBSD API function not included in POSIX.1-2001Portability issues.sysconf( _SC_PAGESIZE )
getpassRemoved in POSIX.1-2001.Not reentrant.getpwuid
getwNot present in POSIX.1-2001. fread
getwdMarked legacy in POSIX.1-2001. Removed in POSIX.1-2008. getcwd
indexMarked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. strchr
makecontextRemoved in POSIX.1-2008.Portability issues. Use POSIX thread instead.
memalignAppears in SunOS 4.1.3. Not in 4.4 BSD or POSIX.1-2001 posix_memalign
mktempRemoved in POSIX.1-2008.Generated names are predictable and can cause a race condition.mkstemp removes race risk
pthread_attr_getstackaddr and pthread_attr_setstackaddr Ambiguities in the specification of the stackaddr attribute cause portability issuespthread_attr_getstack and pthread_attr_setstack
putwNot present in POSIX.1-2001.Portability issues.fwrite
qecvt and qfcvtMarked as legacy in POSIX.1-2001, removed in POSIX.1-2008 snprintf
qecvt_r and qfcvt_rMarked as legacy in POSIX.1-2001, removed in POSIX.1-2008 snprintf
rand_rMarked as obsolete in POSIX.1-2008  
re_compBSD API functionPortability issuesregcomp
re_exesBSD API functionPortability issuesregexec
rindexMarked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. strrchr
scalbRemoved in POSIX.1-2008 scalbln, scalblnf, or scalblnl
sigblock4.3BSD signal API whose origin is unclear sigprocmask
sigmask4.3BSD signal API whose origin is unclear sigprocmask
sigsetmask4.3BSD signal API whose origin is unclear sigprocmask
sigstackInterface is obsolete and not implemented on most platforms.Portability issues.sigaltstack
sigvec4.3BSD signal API whose origin is unclear sigaction
swapcontextRemoved in POSIX.1-2008Portability issues. Use POSIX threads.
tmpnam and tmpnam_rMarked as obsolete in POSIX.1-2008.This function generates a different string each time it is called, up to TMP_MAX times. If it is called more than TMP_MAX times, the behavior is implementation-defined. mkstemp, tmpfile
ttyslotRemoved in POSIX.1-2001.  
ualarmMarked as legacy in POSIX.1-2001. Removed in POSIX.1-2008.Errors are under-specifiedsetitimer or POSIX timer_create
usleepRemoved in POSIX.1-2008. nanosleep
utimeSVr4, POSIX.1-2001. POSIX.1-2008 marks as obsolete.  
valloc

Marked as obsolete in 4.3BSD.

Marked as legacy in SUSv2.

Removed from POSIX.1-2001

 posix_memalign
vfork

Removed from POSIX.1-2008

Under-specified in previous standards.fork
wcswcsThis function was not included in the final ISO/IEC 9899:1990/Amendment 1:1995 (E).  wcsstr
WinExecWinAPI provides this function only for 16-bit Windows compatibility. CreateProcess
LoadModuleWinAPI provides this function only for 16-bit Windows compatibility. CreateProcess
Fix

The fix depends on the root cause of the defect. See fixes in the table above and code examples with fixes below.

If you do not want to fix the issue, add comments to your result or code to avoid another review. See:

Example — Printing Out Time
#include <stdio.h>
#include <time.h> 

void timecheck_bad(int argc, char *argv[])
{
    time_t ticks; 

    ticks = time(NULL);
    printf("%.24s\r\n", ctime(&ticks));  //Noncompliant
}

In this example, the function ctime formats the current time and prints it out. However, ctime was removed after C99 because it does not work on multithreaded programs.

Correction — Different Time Function

One possible correction is to use strftime instead because this function uses a set buffer size.

#include <stdio.h>
#include <string.h>
#include <time.h> 

void timecheck_good(int argc, char *argv[])
{
    char outBuff[1025];
    time_t ticks; 
    struct tm * timeinfo;
    
    memset(outBuff, 0, sizeof(outBuff)); 
    
    ticks = time(NULL);
    timeinfo = localtime(&ticks);
    strftime(outBuff,sizeof(outBuff),"%I:%M%p.",timeinfo);
    fprintf(stdout, outBuff);
}

Check Information

Category: API / Function Errors

Version History

Introduced in R2023a

See Also

Topics

External Websites