SV.FMT_STR.BAD_SCAN_FORMAT

Missing width field for format string

Improper string-length checking can result in a buffer overflow situation that can be exploited by a malicious user. The SV.FMT_STR.BAD_SCAN_FORMAT checker finds instances of omitted width specification (%s) in a format string.

Vulnerability and risk

Several string-width checking issues can result in an exploitable vulnerability. The most common are when a wide or multibyte character string is incorrectly calculated as single-byte characters, or in a case of mixed standard-width and wide-string functions for a single string. In either case, an exploitable buffer overflow condition can arise.

Mitigation and prevention

To avoid this type of error:

  • Verify the length of the string unit character
  • Make sure the destination buffer can handle the size of the string
  • Compute the width of the string dynamically

Vulnerable code example

1  void main() {
2      char s[16];
3      scanf("%s",s);
4 }

Klockwork flags an error at line 3 because the width of the string is missing from the %s specification. Any situation in which the width field for the string is missing can result in a buffer overflow condition that can be exploited by a malicious user.

Fixed code example

1  void main() {
2      char s[16];
3      scanf("%15s",s);
4 }

In the fixed code, width of the string is provided correctly, ensuring that the destination buffer won't overflow.

Security training

Application security training materials provided by Secure Code Warrior.