Format string vulnerability in scanf functions
Description
The scanf functions are used with format specifiers that do not limit the number of characters copied into the target buffer, potentially leading to format string based overflows.
Examples
Insecure Code
c
char buf[11] = {0};
scanf("%s", &buf);Secure Code
c
char buf[11] = {0};
scanf("%10s", &buf);Remediation
Use format specifiers with field widths to limit the number of characters copied into the target buffer, or use more secure versions of these functions such as scanf_s.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0575 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-120 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | format string vulnerability, scanf |
| OWASP | A1:2017-Injection, A03:2021-Injection |