CWE-242
Use of Inherently Dangerous Function
AI Translation Available
The product calls a function that can never be guaranteed to work safely.
Status
draft
Abstraction
base
Likelihood
high
Affected Platforms
C
C++
Extended Description
AI Translation
Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.
Technical Details
AI Translation
Common Consequences
other
Impacts
varies by context
Detection Methods
automated static analysis
Potential Mitigations
Phases:
build and compilation
implementation
testing
Descriptions:
•
Use grep or static analysis tools to spot usage of dangerous functions.
•
Identify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instructed to spot use of prohibited functions, such as the "banned.h" include file from Microsoft's SDL. [REF-554] [REF-1009] [REF-7]