Checkers:SV.FMT_STR.BAD_SCAN_FORMAT

From current

Reference > C/C++ checkers > SV.FMT STR.BAD SCAN FORMAT

Missing width field for format string

Improper string-length checking can result in a buffer overflow situation that can be exploited by a malicious user. The SV.FMT_STR.BAD_SCAN_FORMAT checker finds instances of omitted width specification (%s) in a format string.

Vulnerability and risk

Several string-width checking issues can result in an exploitable vulnerability. The most common are when a wide or multi-byte character string is incorrectly calculated as single-byte characters, or in a case of mixed standard-width and wide-string functions for a single string. In either case, an exploitable buffer overflow condition can arise. For more information on vulnerability and risk in buffer overflows, see Understanding buffer overflows.

Mitigation and prevention

To avoid this type of error:

Verify the length of the string unit character
Make sure the destination buffer can handle the size of the string
Compute the width of the string dynamically

Code examples

Vulnerable code example

1  void main() {
2      char s[16];
3      scanf(“%s”,s);
...
4 }

Klockwork flags an error at line 3 because the width of the string is missing from the %s specification. Any situation in which the width field for the string is missing can result in a buffer overflow condition that can be exploited by a malicious user.

Fixed code example

1  void main() {
2      char s[16];
3      scanf(“%15s”,s);
...
4 }

In the fixed code, width of the string is provided correctly, ensuring that the destination buffer won't overflow.

Related checkers

External guidance

Retrieved from "http://www.klocwork.com/products/documentation/current/Checkers:SV.FMT_STR.BAD_SCAN_FORMAT"