SV.TAINTED.FMTSTR
Unvalidated input - untrusted data is used as a format string.
Vulnerability and risk
Mitigation and prevention
Example
Copy
#define TKS_MAXBUFFER 1024
int check_tklines(char *host, char *user, int lifetime) {
FILE *iconf, *iconf_tmp;
//...
if ((iconf = fopen(CPATH, "r")) && (iconf_tmp = fopen(TKSERV_IRCD_CONFIG_TMP, "w"))){
char buffer[TKS_MAXBUFFER];
while (fgets(buffer, TKS_MAXBUFFER, iconf)){
if ((*buffer != 'K') || (!strstr(buffer, "tkserv"))){
fprintf(iconf_tmp, buffer);
}
//...
}
}
return 0;
}
Klocwork produces an issue report at line 10 indicating that unvalidated string 'buffer' received through a call to 'fgets' at line 8 can be used as a format string through a call to 'fprintf' at line 10.
See also
External guidance
- CERT FIO30-C: Exclude user input from format strings
- CWE-20: Improper Input Validation
- CWE-134: Use of Externally-Controlled Format String
- CWE-464: Addition of Data Structure Sentinel
- OWASP A3:2021 Injection
- STIG-ID:APP3510 Input Validation
- STIG-ID:APP3560 Application contains format string vulnerabilities