gets
char *gets(char *s)
Category
UNSAFE
Note
This function does not check for bounds while storing the input. This function can't be used securely.
Alternative
fgets(buf, sizeof (buf), stdin)
getline(buf, bufsize, stdin) New in Solaris 11
cftime
int cftime(char *s, char *format, const time_t *clock)
int ascftime(char *s, const char *format, const struct tm *timeptr)
Category
UNSAFE
Note
These routines do no bounds checking on the output buffer and may import user-data through the environment variable CFTIME.
Alternative
strftime(buf, sizeof (buf), fmt, &tm)
strcat
char *strcat(char *s1, const char *s2)
char *strcpy(char *s1, const char *s2)
Category
AVOID
Note
It is not possible to limit these functions to a maximum buffer size. Although one can calculate the amount of space needed before calling strcat or strcpy, the use of these functions will always force reviewers to follow the logic, and prevent automated scanning of source code for vulnerabilities.
Alternative
strlcat(dst, src, dstsize)
strlcpy(dst, src, dstsize)
strncat
char *strncat(char *s1, const char *s2, size_t n)
char *strncpy(char *s1, const char *s2, size_t n)
Category
USE WITH CAUTION
Note
strncpy() is not guaranteed to null-terminate the destination buffer. strncat() is hard to use as it requires the proper size of the destination buffer to be calculated.
Note
The fact that strncpy() does not null- terminate on insufficient space, together with the side effect that it will add NUL bytes if there is space left makes it a useful function for updating structures that reside on disk, for example wtmpx, which are often generated with write(fd, w, sizeof (*w));
Alternative
strlcpy(dst, src, dstsize)
strlcat(dst, src, dstsize)
strlcpy
size_t strlcpy(char *dst, const char *src, size_t dstsize)
size_t strlcat(char *dst, const char *src, size_t dstsize)
Category
UNRESTRICTED
Note
Preferred alternative to strcpy/strcat functions. Available in Solaris 8 and later. Should be used with constant and not computed size arguments to facilitate code review.
open
int open(const char *path, int oflag, /* mode_t mode */...)
int creat(const char *path, mode_t mode)
Category
USE WITH CAUTION
Note
When opening for reading from a privileged program, make sure that you open the file as the user by dropping privileges or setting the effective uid to the real uid. Under no circumstances should programs implement their own access control based on file ownership and modes. Similarly, when creating files, do not open() and then chown() the file.
Note
When opening for writing, the program can be tricked into opening the wrong file by following symbolic or hard links. To avoid this problem, either use the O_NOFOLLOW and O_NOLINKS flags, or use O_CREAT|O_EXCL to ensure that a new file is created instead of opening an existing file.
Note
When opening a file, consider if the file descriptor should be kept open across an exec() call. In Solaris 11, you can specify O_CLOEXEC in the open flags to atomically mark the file descriptor to be closed by exec system calls. In older releases, you will need to use fcntl() with the FD_CLOEXEC flag, which allows a race condition in multithreaded programs, if another thread forks and execs between the open() and fcntl() calls.
dup
int dup(int fildes)
int dup2(int fildes, int fildes2)
Category
USE WITH CAUTION
Note
dup() and dup2() both return file descriptors with the FD_CLOEXEC cleared so that they may leak when a program calls exec(). Older code made fcntl() calls shortly after these functions returned to set that flag, but in multi-threaded code (including programs that only run one thread themselves, but may be linked with libraries that run additional threads), that leaves a window open for a race with another thread. The F_DUPFD_CLOEXEC & F_DUP2FD_CLOEXEC calls to fcntl (available in Solaris 11 and later releases) combine the duplication & flag setting into an atomic operation so there is no race.
Alternative
fcntl(fildes, F_DUPFD_CLOEXEC, 0)
fcntl(fildes, F_DUP2FD_CLOEXEC, fildes2)
fopen
FILE *fopen(const char *path, const char *mode)
FILE *freopen(const char *path, const char *mode, FILE *stream)
Category
USE WITH CAUTION
Note
It's not possible to safely create files using fopen(). However, once a pathname is verified to exist, e.g., after mkstemp(), it can be used to open those pathnames. In other cases, a safe invocation of open() followed by fdopen() should be used.
Alternative
open() followed by fdopen(), e.g.:
FILE *fp;
int fd;
fd = open(path, O_CREAT|O_EXCL|O_WRONLY, 0600);
if (fd < 0) {
...
}
fp = fdopen(fd, "w");
fdopen
FILE *fdopen(int filedes, const char *mode)
Category
UNRESTRICTED
Note
Alternative for fopen()
access
int access(const char *path, in mode)
Category
AVOID
Note
This function is useless because the information it provides is outdated by the time you get to use it. Using access() followed by open() has a race condition that can't be solved.
Alternative
open() the file with the permissions of the intended user.
lstat
int lstat(const char *path, struct stat *buf)
int stat(const char *path, struct stat *buf)
int fstatat(int fildes, const char *path, struct stat *buf, int flag)
Category
USE WITH CAUTION
Note
None of these functions is suitable to check for the existence or absence of a file. lstat()/stat()/fstatat() followed by open() has an inherent race condition that can't be solved.
Alternative
If the purpose is to create the file if it doesn't exist, use
open(file, O_CREAT|O_EXCL, mode).
If the purpose is to read the file, open it for reading. If the purpose is to make sure the file attributes are correct before reading from it, use
fd = open(file, O_RDONLY);
fstat(fd, &statbuf);
If the pathname can't be trusted, add O_NONBLOCK to the open-flags. This prevents the application from hanging upon opening a device.
chmod
int chmod(const char *path, mode_t mode)
int fchmodat(int fd, const char *path, mode_t mode, int flag)
int chown(const char *path, uid_t owner, gid_t group)
int lchown(const char *path, uid_t owner, gid_t group)
Category
AVOID
Note
These functions operate on pathnames and are prone to race conditions. Normally, programs shouldn't need to call chown/chmod but honor the current uid (switch back to it before opening files.) and umask. Note that chmod() always follows symbolic links.
Alternative
If a file's attributes need to be changed, the best way to do this is to safely open the file and use fchown/fchmod on the resulting file descriptor.
fchmod
int fchmod(int filedes, mode_t mode)
int fchown(int filedes, uid_t owner, gid_t group)
Category
UNRESTRICTED
Note
Preferred alternative to chmod and chown.
fstat
int fstat(int filedes, struct stat *buf)
Category
UNRESTRICTED
Note
Useful for checking that the file you've just opened is the file you expected to open.
bcopy
void bcopy(const void *s1, void *s2, size_t n)
void *memcpy(void *s1, const void *s2, size_t n)
Category
USE WITH CAUTION
Note
Should not be used for copying strings, even though the length may be known. Use strlcpy() in those cases instead.
catopen
nl_catd catopen(const char *name, int oflag)
Category
USE WITH CAUTION
Note
Libraries and programs should not call catopen() on user supplied pathnames. User supplied message catalogues can be leveraged to break privileged code easily.
chdir
int chdir(const char *path)
Category
USE WITH CAUTION
Note
This function is open to pathname race conditions. Do not use in multi-threaded programs.
Alternative
To avoid the race condition, use fchdir() after the directory has been open()-ed and the properties have been checked using fstat()).
Solaris 11 has added the POSIX 2008 *at() versions of the system calls that operate on files (openat(), linkat(), mkdirat(), mkfifoat(), readlinkat(), symlinkat(), etc.) which take the file descriptor of a directory as the first argument, to use as the working directory for relative paths, to avoid the race condition when one thread calls chdir() while another is calling open(), unlink(), etc.
chroot
int chroot(const char *path)
Category
USE WITH CAUTION
Note
chroot'ed environments offer little protection; programs can easily escape. Make sure you run no privileged programs in a chroot()'ed environment and that you chdir() to a point below the new root after the chroot().
Alternative
Run in a non-global zone.
copylist
char *copylist(const char *filenm, off_t *szptr)
DBM *dbm_open(const char *file, int open_flags, mode_t file_mode)
int dbminit(char *file)
Category
USE WITH CAUTION
Note
These functions open files and should only be used to open known-safe pathnames.
dlopen
void *dlopen(const char *pathname, int mode)
Category
USE WITH CAUTION
Note
Parameters passed to dlopen should only be unqualified pathnames which are then found using the runtime linker's path, or full pathnames not in any way derived from user input (including from argv[0] !!!) There is no way to safely open a user-supplied shared object; the object's _init() function is executed before dlopen() returns.
drand48
double drand48(void)
double erand48(unsigned short xi[3])
long lrand48(void)long mrand48(void)
long jrand48(unsigned short xi[3])
long nrand48(unsigned short xi[3])
void srand48(long seedval)
int rand(void)
int rand_r(unsigned int *seed)
void srand(unsigned int seed)
long random(void)
Category
AVOID
Note
These are weak random number generators; they are not useful for increasing security. If you need random numbers for security, it's better to use /dev/urandom, which is available starting with Solaris 9.
execvp
int execvp(const char *file, const char *argv[])
int execlp(const char *file, const char *arg0, ..., const char *argn, NULL)
Category
AVOID
Note
These functions are too dangerous to use in libraries or privileged commands and daemons because they find the executable by searching the directories in the PATH environment variable, which is under the complete control of the user. They should be avoided for most other programs.
Alternative
Carefully use one of the exec* functions defined below.
execl
int execl(const char *path, const char *arg0, ..., const char *argn, NULL)
int execv(const char *path, char *const argv[])
int execve(const char *path, char *const argv[], char *const envp[])
Category
USE WITH CAUTION
Note
Make sure that the environment is sanitized and unneeded file descriptors are closed before executing a new program.
fattach
int fattach(int filedes, const char *path)
Category
USE WITH CAUTION
Note
Check the file descriptor after open (using fstat()), not the pathname before the open.
sprintf
int sprintf(char *s, const char *fmt, ...)
int vsprintf(char *s, const char *fmt, va_list ap)
Category
AVOID
Note
sprintf() and vsprintf() are typical buffer overflow causes. If, for whatever reason, you must use these functions, make sure that the fmt argument can't be user-controlled and that you can trust the parameters not to overflow the destination buffer.
Alternative
snprintf()/vsnprintf()
asprintf() New in Solaris 11
printf
int printf(const char *format, ...)
int vprintf(const char *format, va_list ap)
int fprintf(FILE *stream, const char *format, ...)
int vfprintf(FILE *stream, const char *format, va_list ap)
int snprintf(char *s, size_t n, const char *format, ...)
int vsnprintf(char *s, size_t n, const char *format, va_list ap)
int wprintf(const wchar_t *format, ...)
int vwprintf(const wchar_t format, va_list arg)
int fwprintf(FILE *stream, const wchar_t *format, ...)
int vfwprintf(FILE *stream, const wchar_t *format, va_list arg)
int swprintf(wchar_t *s, size_t n, const wchar_t *format, ...)
int vswprintf(wchar_t *s, size_t n, const wchar_t *format, va_list arg)
int asprintf(char **ret, const char *format, ...)
Category
USE WITH CAUTION
Note
At risk from user-specified format strings. If the format string comes from a message catalog, verify your NLSPATH manipulations and catopen()/catget() uses. (The C library tries to be safe by ignoring NLSPATH settings for set-uid and set-gid applications.)
Note
snprintf() and vsnprintf() return the number of characters that would have been written to the buffer if it were large enough. You can't use this value in constructs like:
p += snprintf(p, lenp, "...");
since p might point beyond p+lenp afterwards.
syslog
void syslog(int priority, const char *message, ...)
void vsyslog(int priority, const char *message, va_list ap)
Category
USE WITH CAUTION
Note
At risk from user-specified format strings. Verify your NLSPATH manipulations and catopen()/catget() uses.
scanf
int scanf(const char *format, ...)
int vscanf(const char *format, va_list arg)
int fscanf(FILE *stream, const char *format, ...)
int vfscanf(FILE *stream, const char *format, va_list arg)
int sscanf(const char *s, const char *format, ...)
int vsscanf(const char *s, const char *format, va_list arg)
Category
USE WITH CAUTION
Note
When scanning strings, make sure the format specified includes maximum buffer lengths, thus use
scanf("%10s", p);
to limit scanf() to reading 10 characters at most. Note that the corresponding buffer must be at least eleven bytes to allow space for the terminating NUL character.
ftw
int ftw(const char *path, int (*fn)(), int depth)
int nftw(const char *path, int (*fn)(), int depth, int flags)
Category
USE WITH CAUTION
Note
ftw follows symbolic links and crosses mount points.
Alternative
use nftw with the appropriate flags set (a combination of FTW_PHYS and FTW_MOUNT).
getenv
char *getenv(const char *name)
Category
USE WITH CAUTION
Note
The environment is completely user-specified. When possible, use of getenv() should be avoided in libraries. Strings returned by getenv() can be up to NCARGS bytes long (that's currently 1MB for 32-bit environments.) Pathnames derived from environment variables should not be trusted. They should not be used as input for any of the *open() functions (including catopen() and dlopen()).
getlogin
char *getlogin(void)
Category
AVOID
Note
The value returned by getlogin() is not reliable; it is a mere hint as to the user name.
getpass
char *getpass(const char *prompt)
Category
AVOID
Note
Only the first 8 bytes of input are used. Avoid using it in new code.
Alternative
getpassphrase().
kvm_open
kvm_t *kvm_open(char *namelist, char *corefile, char *swapfile, int flag, char *errstr)
int nlist(const char *filename, struct nlist *nl)
Category
AVOID
Note
Write a proper kstat or other interface if you need information from the kernel. If you accept a user-specified namelist argument, make sure you revoke privileges before using it. If you don't, a specifically constructed namelist can be used to read random parts of the kernel, revealing possibly sensitive data.
mkdir
int mkdir(const char *path, mode_t mode)
int mkdirat(int fd, const char *path, mode_t mode)
int mknod(const char *path, mode_t mode, dev_t dev)
int mknodat(int fd, const char *path, mode_t mode, dev_t dev)
Category
USE WITH CAUTION
Note
Be careful about the path used. These functions will not follow symlinks for the last component, so they are relatively safe.
mkstemp
int mkstemp(char *template)
Category
UNRESTRICTED
Note
Safe temporary file creation function.
mktemp
char *mktemp(char *template)
Category
AVOID
Note
Generates temporary filename, but the use of the generated pathname is not guaranteed safe since there is a race condition between the checks in mktemp() and the subsequent open() by the application.
Alternative
Use mkstemp() to create a file, mkdtemp() to create a directory.
popen
FILE *popen(const char *command, const char *mode)
int p2open(const char *cmd, FILE *fp[2])
int system(const char *string)
Category
AVOID
Note
These three library calls always involve the shell which involves PATH, IFS, other environment variables and interpretation of special characters.
strccpy
char *strccpy(char *output, const char *input)
char *strcadd(char *output, const char *input)
char *streadd(char *output, const char *input)
char *strecpy(char *output, const char *input, const char *exceptions)
char *strtrns(const char *string, const char *old, const char *new, char *result)
Category
USE WITH CAUTION
Note
Similar problems as with strcpy(). See the manual pages on proper use.
tempnam
char *tempnam(const char *dir, const char *pfx)
char *tmpnam(char *s)
char *tmpnam_r(char *s)
Category
AVOID
Note
These functions are not suitable for generating unpredictable filenames. There is a race condition between the generation of the filename and its use in, e.g., open()
Alternative
mkstemp()
tmpfile
FILE *tmpfile(void)
Category
USE WITH CAUTION
Note
Uses mkstemp() since Solaris 2.6 or thereabouts, so is safe to use. However: since this function changes the umask, it is not multi-thread safe.
truncate
int truncate(const char *path, off_t length)
Category
AVOID
Note
This function is prone to pathname race conditions.
Alternative
Use ftruncate() after a safe open().
umask
mode_t umask(mode_t cmask)
Category
USE WITH CAUTION
Note
Shouldn't be used in libraries or applications; the user knows best and his umask should be used. Also not multi-thread safe.
utmpname
int utmpname(const char *file)
int utmpxname(const char *file)
Category
AVOID
Note
Use the default utmp and utmpx files.
相关推荐
C函数库,也被称为C语言库,是C编程语言中不可或缺的一部分。这些库包含了大量预定义的函数,供程序员在编写程序时调用,以实现特定的功能,如输入输出操作、数学运算、字符串处理、内存管理等。C语言库不仅提高了...
需要注意的是,C语言标准函数库中的函数都可以被重载,以适应不同的编程需求。同时,C语言标准函数库也提供了许多宏定义,例如:NULL、TRUE、FALSE等,用于实现常见的操作。 C语言标准函数库提供了一组强大且灵活的...
C语言函数库是C编程中不可或缺的部分,它们包含了一系列预先编写好的函数,供程序员在编写程序时调用,以实现特定的功能。C语言函数库包括标准库和其他自定义库。标准库提供了大量的基本操作,如输入输出、数学计算...
本资料“c_lib_function.rar”是一个关于C语言库函数的详细指南,涵盖了C常用函数库以及与C++相关的函数库,旨在帮助开发者深入理解和熟练运用这些函数。 C语言标准库中包含了许多常用的函数,例如输入/输出操作...
C语言函数库是编程者在使用C语言进行程序开发时不可或缺的一部分。它包含了大量预先编写好的函数,...同时,需要注意的是,不同的编译器或运行环境可能还会提供一些非标准的扩展库,这些库在跨平台编程时需要特别留意。
需要注意的是,在abort函数被调用后,程序将终止执行,不会继续执行return语句。 abs函数 abs函数的主要功能是求一个整数的绝对值。该函数的用法为`int abs(int i);`。下面是一个使用abs函数的示例程序: ```c #...
虽然C32函数库极大地便利了开发者,但在使用过程中也需要注意以下几点: 1. **性能考量**:虽然函数库提供了丰富的功能,但过度依赖可能会增加代码体积和运行时开销,因此在性能敏感的应用中需谨慎选择。 2. **资源...
《C语言函数库查询手册》是一本非常实用的编程参考资料,尤其对于正在学习或从事C语言编程的开发者来说,它提供了全面的C语言标准库函数的详细信息。这本书旨在帮助读者快速查找和理解C语言中的各种函数,提高编程...
例如,`JavaJNA——dll回调函数实现 - 百度文库-java传回调函数给c语言写的so,dll.url`可能展示了如何在JNA中传递回调函数给C库。 对于数组和字符串的传递,Java与JNI之间的数据交换需要特别注意。例如,`java层向...
然而,需要注意的是,虽然C函数库强大,但不提供自动内存管理,程序员需要手动管理内存,这既是C语言的魅力所在,也是其潜在的风险。因此,在使用C函数库时,一定要注意内存安全,避免出现缓冲区溢出、空指针引用等...
C语言提供了一系列的函数库来帮助开发者高效地处理字符串。这些函数库通常被包含在`<string.h>`和`<stdlib.h>`等头文件中,它们包含了从简单的字符串复制、比较到复杂的字符串解析和转换等功能。 ### C语言字符串...
C语言函数库包含了C标准库(C Standard Library)中的所有函数,这些函数是C编程的基础,包括输入/输出操作、内存管理、字符串处理、数学运算等各个方面。例如: 1. **输入/输出操作**:如`printf`和`scanf`,这两...
对于C语言实现的polyfit函数,我们还需要注意内存管理,避免溢出和精度损失,尤其是在处理大型数据集时。 总之,使用C语言实现polyfit函数是一项涉及数值分析和线性代数的任务,需要理解和应用最小二乘法、矩阵运算...
C语言函数库是C语言编程的核心组成部分,对于初学者来说,理解和掌握这些函数至关重要。C语言函数库,也称为标准库,提供了大量的预定义函数,用于处理各种编程任务,如输入输出、字符串操作、数学计算、内存管理等...
在编程过程中,经常需要查阅函数的用法和细节,这时就需要借助专门的C函数查寻工具。 一种常见的C函数查寻工具有在线文档,如C语言参考手册(C++ Reference)和 cdecl.org。这些网站提供了详尽的C标准库函数文档,...
函数需要能够处理数量和类型可变的参数时,会用到这个头文件中的宏。它主要被用于实现那些参数数量不定的函数。 10. 定义了一些标准数据类型的别名和宏,如size_t、wchar_t、NULL等。这些别名和宏是可移植的,...
在C语言编程中,标准函数库是一组预定义的函数,...总的来说,理解和熟练使用C语言标准函数库是每个C程序员的基础技能。熟悉并掌握`malloc()`等内存管理函数以及库中的其他函数,能帮助开发者编写出高效、可靠的代码。
《C编程助手——C语言函数库》 C语言是一种强大的、高效的编程语言,它以其简洁的语法和广泛的适用性在软件开发领域占据了重要的地位。在C语言编程中,函数库扮演着至关重要的角色,它提供了丰富的功能,帮助程序员...
LAPACK,全称为线性代数包(Linear Algebra Package),是C语言中广泛使用的一个数学函数库,专为高效解决线性代数问题而设计。这个强大的库提供了丰富的算法,包括但不限于求解线性方程组、计算特征值和特征向量、...
在C语言中,`time`函数库是进行时间操作的核心部分,它提供了处理时间的工具,包括获取当前时间、计算时间差以及格式化时间显示等。`time.h`头文件包含了与时间相关的所有函数和数据类型定义。在这个库中,我们主要...