`

C库需要注意的函数

阅读更多
 

Table of C Library Functions

 The table below explains the necessary security considerations when using various C library functions. Each function is classified in one of the following categories.

UNRESTRICTED
This is the default for functions
USE WITH CAUTION
Allowed for use, but special care is needed when using these functions
AVOID
Use should be avoided as these functions are difficult to use securely
UNSAFE
These functions cannot be used securely so they should not to be used under any circumstances
 A
access
ascftime
asprintf
 B
bcopy
 C
catopen
cftime
chdir
chmod
chroot
chown
copylist
creat
 D
dbm_open
dlopen
dbminit
drand48
dup
dup2
 E
erand48
execl
execlp
execv
execve
execvp
 F
fattach
fchmod
fchmodat
fchown
fdopen
fopen
fprintf
freopen
fscanf
fstat
fstatat
ftw
fwprintf
 G
getenv
getlogin
getpass
gets
 J
jrand48
 K
kvm_open
 L
lchown
lrand48
lstat
 M
memcpy
mkdir
mkdirat
mknod
mknodat
mkstemp
mktemp
mrand48
 N
nftw
nlist
nrand48
 O
open
 P
p2open
popen
printf
 R
rand
rand_r
random
 S
scanf
snprintf
sprintf
srand
srand48
sscanf
stat
strcadd
strcat
strccpy
strcpy
streadd
strecpy
strlcat
strlcpy
strncat
strncpy
strtrns
swprintf
syslog
system
 T
tempnam
tmpfile
tmpnam
tmpnam_r
truncate
 U
umask
utmpname
utmpxname
 V
vfprintf
vfscanf
vfwprintf
vprintf
vscanf
vsnprintf
vsprintf
vsscanf
vswprintf
vsyslog
vwprintf
 W
wprintf

gets

char *gets(char *s)
Category
UNSAFE
Note
This function does not check for bounds while storing the input. This function can't be used securely.
Alternative
fgets(buf, sizeof (buf), stdin)
getline(buf, bufsize, stdin) New in Solaris 11

cftime

int cftime(char *s, char *format, const time_t *clock)
int ascftime(char *s, const char *format, const struct tm *timeptr)
Category
UNSAFE
Note
These routines do no bounds checking on the output buffer and may import user-data through the environment variable CFTIME.
Alternative
strftime(buf, sizeof (buf), fmt, &tm)

strcat

char *strcat(char *s1, const char *s2)
char *strcpy(char *s1, const char *s2)
Category
AVOID
Note
It is not possible to limit these functions to a maximum buffer size. Although one can calculate the amount of space needed before calling strcat or strcpy, the use of these functions will always force reviewers to follow the logic, and prevent automated scanning of source code for vulnerabilities.
Alternative
strlcat(dst, src, dstsize)
 strlcpy(dst, src, dstsize)

strncat

char *strncat(char *s1, const char *s2, size_t n)
char *strncpy(char *s1, const char *s2, size_t n)
Category
USE WITH CAUTION
Note
strncpy() is not guaranteed to null-terminate the destination buffer. strncat() is hard to use as it requires the proper size of the destination buffer to be calculated.
Note
The fact that strncpy() does not null- terminate on insufficient space, together with the side effect that it will add NUL bytes if there is space left makes it a useful function for updating structures that reside on disk, for example wtmpx, which are often generated with write(fd, w, sizeof (*w));
Alternative
strlcpy(dst, src, dstsize)
strlcat(dst, src, dstsize)

strlcpy

size_t strlcpy(char *dst, const char *src, size_t dstsize)
size_t strlcat(char *dst, const char *src, size_t dstsize)
Category
UNRESTRICTED
Note
Preferred alternative to strcpy/strcat functions. Available in Solaris 8 and later. Should be used with constant and not computed size arguments to facilitate code review.

open

int open(const char *path, int oflag, /* mode_t mode */...)
int creat(const char *path, mode_t mode)
Category
USE WITH CAUTION
Note
 When opening for reading from a privileged program, make sure that you open the file as the user by dropping privileges or setting the effective uid to the real uid. Under no circumstances should programs implement their own access control based on file ownership and modes. Similarly, when creating files, do not open() and then chown() the file.
Note
 When opening for writing, the program can be tricked into opening the wrong file by following symbolic or hard links. To avoid this problem, either use the O_NOFOLLOW and O_NOLINKS flags, or use O_CREAT|O_EXCL to ensure that a new file is created instead of opening an existing file.
Note
 When opening a file, consider if the file descriptor should be kept open across an exec() call.   In Solaris 11, you can specify O_CLOEXEC in the open flags to atomically mark the file descriptor to be closed by exec system calls.  In older releases, you will need to use fcntl() with the FD_CLOEXEC flag, which allows a race condition in multithreaded programs, if another thread forks and execs between the open() and fcntl() calls.

dup

int dup(int fildes)
int dup2(int fildes, int fildes2)
Category
USE WITH CAUTION
Note
 dup() and dup2() both return file descriptors with the FD_CLOEXEC cleared so that they may leak when a program calls exec(). Older code made fcntl() calls shortly after these functions returned to set that flag, but in multi-threaded code (including programs that only run one thread themselves, but may be linked with libraries that run additional threads), that leaves a window open for a race with another thread. The F_DUPFD_CLOEXEC & F_DUP2FD_CLOEXEC calls to fcntl (available in Solaris 11 and later releases) combine the duplication & flag setting into an atomic operation so there is no race.
Alternative
fcntl(fildes, F_DUPFD_CLOEXEC, 0)
fcntl(fildes, F_DUP2FD_CLOEXEC, fildes2)

fopen

FILE *fopen(const char *path, const char *mode)
FILE *freopen(const char *path, const char *mode, FILE *stream)
Category
USE WITH CAUTION
Note
It's not possible to safely create files using fopen(). However, once a pathname is verified to exist, e.g., after mkstemp(), it can be used to open those pathnames. In other cases, a safe invocation of open() followed by fdopen() should be used.
Alternative
open() followed by fdopen(), e.g.:

FILE *fp;
int fd;

fd = open(path, O_CREAT|O_EXCL|O_WRONLY, 0600);
if (fd < 0) {
    ...
}
fp = fdopen(fd, "w");


fdopen

FILE *fdopen(int filedes, const char *mode)
Category
UNRESTRICTED
Note
Alternative for fopen()

access

int access(const char *path, in mode)
Category
AVOID
Note
This function is useless because the information it provides is outdated by the time you get to use it. Using access() followed by open() has a race condition that can't be solved.
Alternative
open() the file with the permissions of the intended user.

lstat

int lstat(const char *path, struct stat *buf)
int stat(const char *path, struct stat *buf)
int fstatat(int fildes, const char *path, struct stat *buf, int flag)
Category
USE WITH CAUTION
Note
None of these functions is suitable to check for the existence or absence of a file. lstat()/stat()/fstatat() followed by open() has an inherent race condition that can't be solved.
Alternative
If the purpose is to create the file if it doesn't exist, use

 open(file, O_CREAT|O_EXCL, mode).

 If the purpose is to read the file, open it for reading. If the purpose is to make sure the file attributes are correct before reading from it, use

 fd = open(file, O_RDONLY);
 fstat(fd, &statbuf);

 If the pathname can't be trusted, add O_NONBLOCK to the open-flags. This prevents the application from hanging upon opening a device.


chmod

int chmod(const char *path, mode_t mode)
int fchmodat(int fd, const char *path, mode_t mode, int flag)
int chown(const char *path, uid_t owner, gid_t group)
int lchown(const char *path, uid_t owner, gid_t group)
Category
AVOID
Note
These functions operate on pathnames and are prone to race conditions. Normally, programs shouldn't need to call chown/chmod but honor the current uid (switch back to it before opening files.) and umask. Note that chmod() always follows symbolic links.
Alternative
If a file's attributes need to be changed, the best way to do this is to safely open the file and use fchown/fchmod on the resulting file descriptor.

fchmod

int fchmod(int filedes, mode_t mode)
int fchown(int filedes, uid_t owner, gid_t group)
Category
UNRESTRICTED
Note
Preferred alternative to chmod and chown.

fstat

int fstat(int filedes, struct stat *buf)
Category
UNRESTRICTED
Note
Useful for checking that the file you've just opened is the file you expected to open.

bcopy

void bcopy(const void *s1, void *s2, size_t n)
void *memcpy(void *s1, const void *s2, size_t n)
Category
USE WITH CAUTION
Note
Should not be used for copying strings, even though the length may be known. Use strlcpy() in those cases instead.

catopen

nl_catd catopen(const char *name, int oflag)
Category
USE WITH CAUTION
Note
Libraries and programs should not call catopen() on user supplied pathnames. User supplied message catalogues can be leveraged to break privileged code easily.

chdir

int chdir(const char *path)
Category
USE WITH CAUTION
Note
This function is open to pathname race conditions. Do not use in multi-threaded programs.
Alternative
To avoid the race condition, use fchdir() after the directory has been open()-ed and the properties have been checked using fstat()).
 Solaris 11 has added the POSIX 2008 *at() versions of the system calls that operate on files (openat(), linkat(), mkdirat(), mkfifoat(), readlinkat(), symlinkat(), etc.) which take the file descriptor of a directory as the first argument, to use as the working directory for relative paths, to avoid the race condition when one thread calls chdir() while another is calling open(), unlink(), etc.

chroot

int chroot(const char *path)
Category
USE WITH CAUTION
Note
chroot'ed environments offer little protection; programs can easily escape. Make sure you run no privileged programs in a chroot()'ed environment and that you chdir() to a point below the new root after the chroot().
Alternative
Run in a non-global zone.

copylist

char *copylist(const char *filenm, off_t *szptr)
DBM *dbm_open(const char *file, int open_flags, mode_t file_mode) 
int dbminit(char *file)
Category
USE WITH CAUTION
Note
These functions open files and should only be used to open known-safe pathnames.

dlopen

void *dlopen(const char *pathname, int mode)
Category
USE WITH CAUTION
Note
Parameters passed to dlopen should only be unqualified pathnames which are then found using the runtime linker's path, or full pathnames not in any way derived from user input (including from argv[0] !!!) There is no way to safely open a user-supplied shared object; the object's _init() function is executed before dlopen() returns.

drand48

double drand48(void)
double erand48(unsigned short xi[3])
long lrand48(void)long mrand48(void)
long jrand48(unsigned short xi[3])
long nrand48(unsigned short xi[3])
void srand48(long seedval)
int rand(void)
int rand_r(unsigned int *seed)
void srand(unsigned int seed)
long random(void)
Category
AVOID
Note
These are weak random number generators; they are not useful for increasing security. If you need random numbers for security, it's better to use /dev/urandom, which is available starting with Solaris 9.

execvp

int execvp(const char *file, const char *argv[])
int execlp(const char *file, const char *arg0, ..., const char *argn, NULL)
Category
AVOID
Note
These functions are too dangerous to use in libraries or privileged commands and daemons because they find the executable by searching the directories in the PATH environment variable, which is under the complete control of the user. They should be avoided for most other programs.
Alternative
Carefully use one of the exec* functions defined below.

execl

int execl(const char *path, const char *arg0, ..., const char *argn, NULL)
int execv(const char *path, char *const argv[])
int execve(const char *path, char *const argv[], char *const envp[])
Category
USE WITH CAUTION
Note
Make sure that the environment is sanitized and unneeded file descriptors are closed before executing a new program.

fattach

int fattach(int filedes, const char *path)
Category
USE WITH CAUTION
Note
Check the file descriptor after open (using fstat()), not the pathname before the open.

sprintf

int sprintf(char *s, const char *fmt, ...)
int vsprintf(char *s, const char *fmt, va_list ap)
Category
AVOID
Note
sprintf() and vsprintf() are typical buffer overflow causes. If, for whatever reason, you must use these functions, make sure that the fmt argument can't be user-controlled and that you can trust the parameters not to overflow the destination buffer.
Alternative
snprintf()/vsnprintf()
 asprintf() New in Solaris 11

printf

int printf(const char *format, ...)
int vprintf(const char *format, va_list ap)
int fprintf(FILE *stream, const char *format, ...)
int vfprintf(FILE *stream, const char *format, va_list ap)
int snprintf(char *s, size_t n, const char *format, ...)
int vsnprintf(char *s, size_t n, const char *format, va_list ap)
int wprintf(const wchar_t *format, ...)
int vwprintf(const wchar_t format, va_list arg)
int fwprintf(FILE *stream, const wchar_t *format, ...)
int vfwprintf(FILE *stream, const wchar_t *format, va_list arg)
int swprintf(wchar_t *s, size_t n, const wchar_t *format, ...)
int vswprintf(wchar_t *s, size_t n, const wchar_t *format, va_list arg)
int asprintf(char **ret, const char *format, ...)
Category
USE WITH CAUTION
Note
At risk from user-specified format strings. If the format string comes from a message catalog, verify your NLSPATH manipulations and catopen()/catget() uses. (The C library tries to be safe by ignoring NLSPATH settings for set-uid and set-gid applications.)
Note
snprintf() and vsnprintf() return the number of characters that would have been written to the buffer if it were large enough. You can't use this value in constructs like:

 p += snprintf(p, lenp, "...");

since p might point beyond p+lenp afterwards.


syslog

void syslog(int priority, const char *message, ...)
void vsyslog(int priority, const char *message, va_list ap)
Category
USE WITH CAUTION
Note
At risk from user-specified format strings. Verify your NLSPATH manipulations and catopen()/catget() uses.

scanf

int scanf(const char *format, ...)
int vscanf(const char *format, va_list arg)
int fscanf(FILE *stream, const char *format, ...)
int vfscanf(FILE *stream, const char *format, va_list arg)
int sscanf(const char *s, const char *format, ...)
int vsscanf(const char *s, const char *format, va_list arg)
Category
USE WITH CAUTION
Note
When scanning strings, make sure the format specified includes maximum buffer lengths, thus use

scanf("%10s", p);

to limit scanf() to reading 10 characters at most. Note that the corresponding buffer must be at least eleven bytes to allow space for the terminating NUL character.


ftw

int ftw(const char *path, int (*fn)(), int depth)
int nftw(const char *path, int (*fn)(), int depth, int flags)
Category
USE WITH CAUTION
Note
ftw follows symbolic links and crosses mount points.
Alternative
use nftw with the appropriate flags set (a combination of FTW_PHYS and FTW_MOUNT).

getenv

char *getenv(const char *name)
Category
USE WITH CAUTION
Note
The environment is completely user-specified. When possible, use of getenv() should be avoided in libraries. Strings returned by getenv() can be up to NCARGS bytes long (that's currently 1MB for 32-bit environments.) Pathnames derived from environment variables should not be trusted. They should not be used as input for any of the *open() functions (including catopen() and dlopen()).

getlogin

char *getlogin(void)
Category
AVOID
Note
The value returned by getlogin() is not reliable; it is a mere hint as to the user name.

getpass

char *getpass(const char *prompt)
Category
AVOID
Note
Only the first 8 bytes of input are used. Avoid using it in new code.
Alternative
getpassphrase().

kvm_open

kvm_t *kvm_open(char *namelist, char *corefile, char *swapfile, int flag, char *errstr)
int nlist(const char *filename, struct nlist *nl)
Category
AVOID
Note
Write a proper kstat or other interface if you need information from the kernel. If you accept a user-specified namelist argument, make sure you revoke privileges before using it. If you don't, a specifically constructed namelist can be used to read random parts of the kernel, revealing possibly sensitive data.

mkdir

int mkdir(const char *path, mode_t mode)
int mkdirat(int fd, const char *path, mode_t mode)
int mknod(const char *path, mode_t mode, dev_t dev)
int mknodat(int fd, const char *path, mode_t mode, dev_t dev)
Category
USE WITH CAUTION
Note
Be careful about the path used. These functions will not follow symlinks for the last component, so they are relatively safe.

mkstemp

int mkstemp(char *template)
Category
UNRESTRICTED
Note
Safe temporary file creation function.

mktemp

char *mktemp(char *template)
Category
AVOID
Note
Generates temporary filename, but the use of the generated pathname is not guaranteed safe since there is a race condition between the checks in mktemp() and the subsequent open() by the application.
Alternative
Use mkstemp() to create a file, mkdtemp() to create a directory.

popen

FILE *popen(const char *command, const char *mode)
int p2open(const char *cmd, FILE *fp[2])
int system(const char *string)
Category
AVOID
Note
These three library calls always involve the shell which involves PATH, IFS, other environment variables and interpretation of special characters.

strccpy

char *strccpy(char *output, const char *input)
char *strcadd(char *output, const char *input)
char *streadd(char *output, const char *input)
char *strecpy(char *output, const char *input, const char *exceptions)
char *strtrns(const char *string, const char *old, const char *new, char *result)
Category
USE WITH CAUTION
Note
Similar problems as with strcpy(). See the manual pages on proper use.

tempnam

char *tempnam(const char *dir, const char *pfx)
char *tmpnam(char *s)
char *tmpnam_r(char *s)
Category
AVOID
Note
These functions are not suitable for generating unpredictable filenames. There is a race condition between the generation of the filename and its use in, e.g., open()
Alternative
mkstemp()

tmpfile

FILE *tmpfile(void)
Category
USE WITH CAUTION
Note
Uses mkstemp() since Solaris 2.6 or thereabouts, so is safe to use. However: since this function changes the umask, it is not multi-thread safe.

truncate

int truncate(const char *path, off_t length)
Category
AVOID
Note
This function is prone to pathname race conditions.
Alternative
Use ftruncate() after a safe open().

umask

mode_t umask(mode_t cmask)
Category
USE WITH CAUTION
Note
Shouldn't be used in libraries or applications; the user knows best and his umask should be used. Also not multi-thread safe.

utmpname

int utmpname(const char *file)
int utmpxname(const char *file)
Category
AVOID
Note
Use the default utmp and utmpx files.
分享到:
评论

相关推荐

    C函数库 C语言库下载

    C函数库,也被称为C语言库,是C编程语言中不可或缺的一部分。这些库包含了大量预定义的函数,供程序员在编写程序时调用,以实现特定的功能,如输入输出操作、数学运算、字符串处理、内存管理等。C语言库不仅提高了...

    C语言标准函数库详解.pdf

    需要注意的是,C语言标准函数库中的函数都可以被重载,以适应不同的编程需求。同时,C语言标准函数库也提供了许多宏定义,例如:NULL、TRUE、FALSE等,用于实现常见的操作。 C语言标准函数库提供了一组强大且灵活的...

    C语言函数库 C语言函数库和文件(完).doc

    C语言函数库是C编程中不可或缺的部分,它们包含了一系列预先编写好的函数,供程序员在编写程序时调用,以实现特定的功能。C语言函数库包括标准库和其他自定义库。标准库提供了大量的基本操作,如输入输出、数学计算...

    c_lib_functon.rar_C函数库_C常用函数库_c++函数库_c语言函数库_函数

    本资料“c_lib_function.rar”是一个关于C语言库函数的详细指南,涵盖了C常用函数库以及与C++相关的函数库,旨在帮助开发者深入理解和熟练运用这些函数。 C语言标准库中包含了许多常用的函数,例如输入/输出操作...

    C语言函数库_大全

    C语言函数库是编程者在使用C语言进行程序开发时不可或缺的一部分。它包含了大量预先编写好的函数,...同时,需要注意的是,不同的编译器或运行环境可能还会提供一些非标准的扩展库,这些库在跨平台编程时需要特别留意。

    C语言函数库C语言函数库.doc

    需要注意的是,在abort函数被调用后,程序将终止执行,不会继续执行return语句。 abs函数 abs函数的主要功能是求一个整数的绝对值。该函数的用法为`int abs(int i);`。下面是一个使用abs函数的示例程序: ```c #...

    C32函数库 PIC32函数库

    虽然C32函数库极大地便利了开发者,但在使用过程中也需要注意以下几点: 1. **性能考量**:虽然函数库提供了丰富的功能,但过度依赖可能会增加代码体积和运行时开销,因此在性能敏感的应用中需谨慎选择。 2. **资源...

    C语言函数库查询手册

    《C语言函数库查询手册》是一本非常实用的编程参考资料,尤其对于正在学习或从事C语言编程的开发者来说,它提供了全面的C语言标准库函数的详细信息。这本书旨在帮助读者快速查找和理解C语言中的各种函数,提高编程...

    java调用C语言编写的so库中的函数,java调用C语言编写的dll库中的函数

    例如,`JavaJNA——dll回调函数实现 - 百度文库-java传回调函数给c语言写的so,dll.url`可能展示了如何在JNA中传递回调函数给C库。 对于数组和字符串的传递,Java与JNI之间的数据交换需要特别注意。例如,`java层向...

    c函数库速查 c函数库速查

    然而,需要注意的是,虽然C函数库强大,但不提供自动内存管理,程序员需要手动管理内存,这既是C语言的魅力所在,也是其潜在的风险。因此,在使用C函数库时,一定要注意内存安全,避免出现缓冲区溢出、空指针引用等...

    C语言函数库!

    C语言提供了一系列的函数库来帮助开发者高效地处理字符串。这些函数库通常被包含在`&lt;string.h&gt;`和`&lt;stdlib.h&gt;`等头文件中,它们包含了从简单的字符串复制、比较到复杂的字符串解析和转换等功能。 ### C语言字符串...

    C语言函数库大全 chm

    C语言函数库包含了C标准库(C Standard Library)中的所有函数,这些函数是C编程的基础,包括输入/输出操作、内存管理、字符串处理、数学运算等各个方面。例如: 1. **输入/输出操作**:如`printf`和`scanf`,这两...

    用C语言实现polyfit函数

    对于C语言实现的polyfit函数,我们还需要注意内存管理,避免溢出和精度损失,尤其是在处理大型数据集时。 总之,使用C语言实现polyfit函数是一项涉及数值分析和线性代数的任务,需要理解和应用最小二乘法、矩阵运算...

    C语言函数库,非常适用于C语言初学者

    C语言函数库是C语言编程的核心组成部分,对于初学者来说,理解和掌握这些函数至关重要。C语言函数库,也称为标准库,提供了大量的预定义函数,用于处理各种编程任务,如输入输出、字符串操作、数学计算、内存管理等...

    C函数查寻 C函数 C语言 函数查寻工具

    在编程过程中,经常需要查阅函数的用法和细节,这时就需要借助专门的C函数查寻工具。 一种常见的C函数查寻工具有在线文档,如C语言参考手册(C++ Reference)和 cdecl.org。这些网站提供了详尽的C标准库函数文档,...

    C语言函数库详解(收藏版)

    函数需要能够处理数量和类型可变的参数时,会用到这个头文件中的宏。它主要被用于实现那些参数数量不定的函数。 10. 定义了一些标准数据类型的别名和宏,如size_t、wchar_t、NULL等。这些别名和宏是可移植的,...

    TC api文档.rar_C语言标准函数库中malloc_TC_api文档_c 函数库_c语言函数库

    在C语言编程中,标准函数库是一组预定义的函数,...总的来说,理解和熟练使用C语言标准函数库是每个C程序员的基础技能。熟悉并掌握`malloc()`等内存管理函数以及库中的其他函数,能帮助开发者编写出高效、可靠的代码。

    C编程助手 C语言函数库

    《C编程助手——C语言函数库》 C语言是一种强大的、高效的编程语言,它以其简洁的语法和广泛的适用性在软件开发领域占据了重要的地位。在C语言编程中,函数库扮演着至关重要的角色,它提供了丰富的功能,帮助程序员...

    C语言加载的lapack函数库

    LAPACK,全称为线性代数包(Linear Algebra Package),是C语言中广泛使用的一个数学函数库,专为高效解决线性代数问题而设计。这个强大的库提供了丰富的算法,包括但不限于求解线性方程组、计算特征值和特征向量、...

    c语言time函数库详解

    在C语言中,`time`函数库是进行时间操作的核心部分,它提供了处理时间的工具,包括获取当前时间、计算时间差以及格式化时间显示等。`time.h`头文件包含了与时间相关的所有函数和数据类型定义。在这个库中,我们主要...

Global site tag (gtag.js) - Google Analytics