Improper string-length checking can result in a buffer overflow situation that can be exploited by a malicious user. The SV.FMT_STR.BAD_SCAN_FORMAT checker finds instances of omitted width specification (%s) in a format string.

Vulnerability and risk

Several string-width checking issues can result in an exploitable vulnerability. The most common are when a wide or multi-byte character string is incorrectly calculated as single-byte characters, or in a case of mixed standard-width and wide-string functions for a single string. In either case, an exploitable buffer overflow condition can arise.

Mitigation and prevention

To avoid this type of error:

Verify the length of the string unit character
Make sure the destination buffer can handle the size of the string
Compute the width of the string dynamically

Vulnerable code example

1  void main() {
2      char s[16];
3      scanf("%s",s);
4 }

Klockwork flags an error at line 3 because the width of the string is missing from the %s specification. Any situation in which the width field for the string is missing can result in a buffer overflow condition that can be exploited by a malicious user.

Fixed code example

1  void main() {
2      char s[16];
3      scanf("%15s",s);
4 }

In the fixed code, width of the string is provided correctly, ensuring that the destination buffer won't overflow.

SV.FMT_STR.BAD_SCAN_FORMAT

Missing width field for format string

Vulnerability and risk

Mitigation and prevention

Vulnerable code example

Fixed code example

Related checkers

External guidance