Use of deprecated function (gets)
Description
The gets() function reads a line from stdin into the provided buffer until either a terminating newline or EOF. This terminating newline or EOF is replaced with a null byte. No check for buffer overruns are performed so it is recommended to use fgets() instead. Do note that some platforms will continue reading data after a '\0' is encountered.
Examples
Insecure Code
c
gets(buffer);Secure Code
c
fgets(buffer, sizeof(buffer), stdin);Remediation
Replace gets() with fgets() for reading text-based input, or use read() or fread() for binary-based input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0567 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-120 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | buffer overrun, deprecated function |
| OWASP | A1:2017-Injection, A03:2021-Injection |