SV.TAINTED.FMTSTR

Unvalidated input - untrusted data is used as a format string.

Vulnerability and risk

See SV.TAINTED.ALLOC_SIZE.

Mitigation and prevention

See SV.TAINTED.ALLOC_SIZE.

Example 1

1  #define TKS_MAXBUFFER 1024
2  int check_tklines(char *host, char *user, int lifetime) {
3    FILE *iconf, *iconf_tmp;
4     //...
5     if ((iconf = fopen(CPATH, "r")) && (iconf_tmp = fopen(TKSERV_IRCD_CONFIG_TMP, "w"))){
6  
7       char buffer[TKS_MAXBUFFER];
8       while (fgets(buffer, TKS_MAXBUFFER, iconf)){
9         if ((*buffer != 'K') || (!strstr(buffer, "tkserv"))){
10            fprintf(iconf_tmp, buffer);
11        }
12        //...
13 
14       }
15     }
16     return 0;
17   }

Klocwork produces an issue report at line 10 indicating that unvalidated string 'buffer' received through a call to 'fgets' at line 8 can be used as a format string through a call to 'fprintf' at line 10.

Security Guidelines

• CWE-134: Uncontrolled Format String
• FIO30-C:Exclude user input from format strings
• STIG-ID:APP3510 Input Validation
• STIG-ID:APP3560 Application contains format string vulnerabilities

See also

• ABV.TAINTED
• NNTS.TAINTED
• SV.TAINTED.ALLOC_SIZE
• SV.TAINTED.INDEX_ACCESS
• SV.TAINTED.CALL.LOOP_BOUND
• SV.TAINTED.INJECTION
• SV.TAINTED.LOOP_BOUND
• SV.TAINTED.INDEX_ACCESS