Unsafe format specifier

Some forms of formatted input can cause buffer overflow and should not be used.

Care must be taken on formatted input to avoid buffer overflow. In particular, the "%s" input format is inherently unsafe. A better alternative is "%ddds" or "%*s", where ddd is the sized of the destination buffer, for example "%24s". If the buffer size is not a compile time constant, then "%*s" can be used, where "*" obtains the maximum size from the next input argument, for example, scanf("%*s", sizeof(buffer), buffer);

ID

Observation

Description

1

Format mismatch

The unsafe formatted input statement

Example

          
#include <stdio.h>

char buffer[1024];

int main(int argc, char **argv)
{
    scanf("%s", buffer); // unsafe: could overflow buffer
    // better is scanf("%*s", sizeof(buffer), buffer);
    printf("read %s\n", buffer);
    return 0;
}
        

Copyright © 2010, Intel Corporation. All rights reserved.