printf
/scanf
, not using any width for the format specifier %s
is vulnerable to buffer overflow CXX-S1004printf
or scanf
without width-limit on %s
57 switch (mode)
58 {
59 case LM_BACH:
60 snprintf(buffer, 15, "%s", "LM_BACH"); 61 break;
62
63 default:
printf
or scanf
without width-limit on %s
61 break;
62
63 default:
64 snprintf(buffer, 15, "%s", "LM_INTERACTIVE"); 65 break;
66 }
67 return buffer;
Using I/O operations such as printf
and scanf
without setting width limits for format strings can allow for buffer overflow when reading from a stdin pipe or writing to a stdout pipe.
You can limit the width for format strings by providing it between the %
and s
,
as the <width>
(any positive decimal integer).
Such as this: %<width>s
.
Limit the width of string specifiers by adding a maximum width for I/O operations, as outlined above.
char str[10];
scanf("%s", str);
char str[10];
scanf("%10s", str);