Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space CCPPOBJ and version Publish
Panel
borderColorgray
borderStyledashed

Name: Use of potentially dangerous function

Description:

Excerpt
Certain standard library functions are dangerous to callUse of a standard library function that is not thread-safe.

ID: cpp/potentially-dangerous-function

Kind: problem

Severity: errorwarning

Precision: high

Dont print
Code Block
languageql
titleQuery: PotentiallyDangerousFunction.ql
collapsetrue
/**
 * @name Use of potentially dangerous function
 * @description CertainUse of a standard library functionsfunction arethat dangerousis tonot callthread-safe.
 * @kind problem
 * @problem.severity errorwarning
 * @precision high
 * @id cpp/potentially-dangerous-function
 * @tags reliability
 *       security
 *       external/cwe/cwe-242676
 */
import cpp

predicate potentiallyDangerousFunction(Function f, string message) {
  exists(string name |   f.getQualifiedNamehasGlobalName(name) |
    (
      name = "gmtime" andor
    message  name = "Calllocaltime" toor
gmtime is potentially dangerous"   ) name = "ctime" or
(     f.getQualifiedName() name = "getsasctime"
    ) and
    message = "getsCall doesto not" guard+ againstname buffer+ overflow" is potentially dangerous"
  )
}


from FunctionCall call, Function target, string message
where
  call.getTarget() = target and
  potentiallyDangerousFunction(target, message)
select call, message

This rule finds calls to functions that are dangerous to use. Currently, it checks for calls to gets and gmtime. See Related rules below for rules that identify other dangerous functions.

The gets function is one of the vulnerabilities exploited by the Internet Worm of 1988, one of the first computer worms to spread through the Internet. The gets function provides no way to limit the amount of data that is read and stored, so without prior knowledge of the input it is impossible to use it safely with any size of buffer.

The gmtime function fills , localtime, ctime and asctime.

The time related functions such as gmtime fill data into a tm struct or char array in shared memory and then returns a pointer to that structmemory. If the function is called from multiple places in the same program, and especially if it is called from multiple threads in the same program, then the calls will overwrite each other's data.

Recommendation

Replace calls to gets with fgets, specifying the maximum length to copy. This will prevent the buffer overflow.Replace calls to gmtime with gmtime_r. With gmtime_r, the application code manages allocation of the tm struct. That way, separate calls to the function can use their own storage.

Similarly replace calls to localtime with localtime_r, calls to ctime with ctime_r and calls to asctime with asctime_r.

Example

The following example checks the local time in two ways:

Print only
     1// BAD: using gmtime
     2int is_morning_bad() {
     3    const time_t now_seconds = time(NULL);
     4    struct tm *now = gmtime(&now_seconds);
     5    return (now->tm_hour < 12);
     6}
     7
     8// GOOD: using gmtime_r
     9int is_morning_good() {
    10    const time_t now_seconds = time(NULL);
    11    struct tm now;
    12    gmtime_r(&now_seconds, &now);
    13    return (now.tm_hour < 12);
    14}
Dont print
Code Block
languagecpp
themeEclipse
linenumberstrue
// BAD: using gmtime
int is_morning_bad() {
    const time_t now_seconds = time(NULL);
    struct tm *now = gmtime(&now_seconds);
    return (now->tm_hour < 12);
}

// GOOD: using gmtime_r
int is_morning_good() {
    const time_t now_seconds = time(NULL);
    struct tm now;
    gmtime_r(&now_seconds, &now);
    return (now.tm_hour < 12);
}

The first version uses gmtime, so it is vulnerable to its data being overwritten by another thread. Even if this code is not used in a multi-threaded context right now, future changes may make the program multi-threaded. The second version of the code uses gmtime_r. Since it allocates a new tm struct on every call, it is immune to other calls to gmtime or gmtime_r.

Related rules

Other dangerous functions identified by CWE-676 ("Use of Potentially Dangerous Function") include strcpy and strcat. Use of these functions is highlighted by rules for the following CWEs:

  • CWE-120 Classic Buffer Overflow
  • CWE-131 Incorrect Calculation of Buffer Size
References
Htmlcomment
hiddentrue
hashconfluence_uploader_hash:79b9b693b96ff3dd6e4cd85b54464093d0f7c9aac9e8db069758afa2b9446e55924276895b70336a