View Help Online

Start here

Home
About Klocwork
What's new
Fixed issues
Release notes
Installation

Reference

C/C++ checkers
Java checkers
C# checkers
MISRA C 2004 checkers
MISRA C++ 2008 checkers
MISRA C 2012 checkers
MISRA C 2012 checkers with Amendment 1
Commands
Metrics
Troubleshooting
Reference

Product components

C/C++ Integration build analysis
Java Integration build analysis
Desktop analysis
Refactoring
Klocwork Static Code Analysis
Klocwork Code Review
Structure101
Tuning
Custom checkers

Coding environments

Visual Studio
Eclipse for C/C++
Eclipse for Java
IntelliJ IDEA
Other

Administration

Project configuration
Build configuration
Administration
Analysis performance
Server performance
Security/permissions
Licensing
Klocwork Static Code Analysis Web API
Klocwork Code Review Web API

Community

View help online
Visit RogueWave.com
Klocwork Support
Rogue Wave Videos

Legal

Legal information

SV.FMTSTR.GENERIC

Format string vulnerability

When format strings aren't explicit, they can be injected from outside the code, which means that an attacker may be able to provide a specially crafted format string to execute arbitrary code. This type of weakness can typically be introduced in

  • code that constructs log messages, in which a constant format string is omitted
  • cases of localization, in which language-specific repositories can be vulnerable

The SV.FMTSTR.GENERIC checker finds instances of format strings that can be affected by the user.

Vulnerability and risk

Externally controlled format strings in printf functions can lead to buffer overflows and data representation problems. This type of vulnerability may allow local or remote attackers to cause a denial-of-service (DoS), and possibly execute arbitrary code through format specifiers that are injected into messages.

Mitigation and prevention

To avoid format string issues

  • Eliminate the possibility of injection of arbitrary format strings. Make sure that all format string functions are passed a static string that cannot be controlled by the user.
  • Validate all user input, and review any format strings that could be injected.
  • If possible, use functions that don't support the %n operator in format strings.

Vulnerable code example 1

1   int main()
2   {
3       printf(some_unknown_function("This is suspicious"));  /* SV.FMTSTR.GENERIC reported here */
4    
5       return 0;
6   }

Fixed code example 1

Printf(gettext(str)) calls are permissible, as shown in this example.

1   int main()
2   {
3       printf(gettext("This should be OK"));                 /* No defect reported here */
4       return 0;
5   }

Vulnerable code example 2

1   int main()
2   {
3       printf(some_unknown_function("This is suspicious"));  /* SV.FMTSTR.GENERIC reported here */
4       return 0;
5   }

Fixed code example 2

If possible, replace printf(str) calls with printf("%s",str) to specify a character string.

1   int main()
2   {
3       printf("%s",some_unknown_function("This is better")); /* SV.FMTSTR.GENERIC not reported */
4       return 0;
5   }

Related checkers

External guidance

Parent topic: Suspicious code practices
Previous topic: SV.FIU.PROCESS_VARIANTS
Next topic: SV.TOCTOU.FILE_ACCESS

© Rogue Wave Software, Inc. All rights reserved. | Contact