Incorrect return-value check for a ‘scanf’-like function¶
ID: cpp/incorrectly-checked-scanfKind: problemSecurity severity: 7.5Severity: warningPrecision: highTags: - security - correctness - external/cwe/cwe-253Query suites: - cpp-code-scanning.qls - cpp-security-extended.qls - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
This query finds calls ofscanf-like functions with improper return-value checking. Specifically, it flags uses ofscanf where the return value is only checked against zero.
Functions in thescanf family return eitherEOF (a negative value) in case of IO failure, or the number of items successfully read from the input. Consequently, a simple check that the return value is nonzero is not enough.
Recommendation¶
Ensure that all uses ofscanf check the return value against the expected number of arguments rather than just against zero.
Example¶
The following examples show different ways of guarding ascanf output. In the BAD examples, the results are only checked against zero. In the GOOD examples, the results are checked against the expected number of matches instead.
{inti,j;// BAD: The result is only checked against zeroif(scanf("%d %d",&i,&j)){use(i);use(j);}// BAD: The result is only checked against zeroif(scanf("%d %d",&i,&j)==0){i=0;j=0;}use(i);use(j);if(scanf("%d %d",&i,&j)==2){// GOOD: the result is checked against 2}// GOOD: the result is compared directlyintr=scanf("%d %d",&i,&j);if(r<2){return;}if(r==1){j=0;}}
References¶
SEI CERT C++ Coding Standard:ERR62-CPP. Detect errors when converting a string to a number.
SEI CERT C Coding Standard:ERR33-C. Detect and handle standard library errors.
cppreference.com:scanf, fscanf, sscanf, scanf_s, fscanf_s, sscanf_s.
Common Weakness Enumeration:CWE-253.