Checkers:SV.FMTSTR.GENERIC

From current

Reference > C/C++ checkers > SV.FMTSTR.GENERIC

Format string vulnerability

When format strings aren't explicit, they can be injected from outside the code, which means that an attacker may be able to provide a specially crafted format string to execute arbitrary code. This type of weakness can typically be introduced in

  • code that constructs log messages, in which a constant format string is omitted
  • cases of localization, in which language-specific repositories can be vulnerable

The SV.FMTSTR.GENERIC checker finds instances of format strings that can be affected by the user.

Vulnerability and risk

Externally controlled format strings in printf functions can lead to buffer overflows and data representation problems. This type of vulnerability may allow local or remote attackers to cause a denial of service, and possibly execute arbitrary code through format specifiers that are injected into messages.

Mitigation and prevention

To avoid format string issues

  • Eliminate the possibility of injection of arbitrary format strings. Make sure that all format string functions are passed a static string that cannot be controlled by the user.
  • Validate all user input, and review any format strings that could be injected.
  • If possible, use functions that don't support the %n operator in format strings.

Code examples

Vulnerable code example

1  int main()
2  {
3  	printf(gettext("This should be OK"));
4  	printf(some_unknown_function("This is suspicious"));
5  }

Klocwork produces an issue report at line 4 indicating that function 'printf' may accept a format string that can be influenced by the user, causing format string vulnerability. The call to gettext in line 3 is considered to be permissible, but it's best to review flagged calls and if possible replace printf(str) calls with printf(“%s”,str) to specify a character string.

Related checkers

External guidance

Retrieved from "http://www.klocwork.com/products/documentation/current/Checkers:SV.FMTSTR.GENERIC"