Unchecked return value of scanf-family functions

c.miscellaneous.unchecked_ret_scanf_etc

Severity

low

Resource

Miscellaneous

Language

C / C++

Description

The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Rationale

The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

The following code illustrates a vulnerable pattern detected by this rule:

	if ((pw = getpwnam(s)) != NULL)
	{
		*uid = pw->pw_uid;
		return 0;
	}
#if !defined(__linux__) && !defined(__NetBSD__)
	*uid = strtonum(s, 0, UID_MAX, &errstr);
#else
	// VULNERABLE: Unchecked return value of scanf-family functions
	sscanf(s, "%d", uid);
#endif
	if (errstr)
		return -1;
	return 0;
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-252
OWASP Top 10 2021 - A04 : Insecure Design.
https://codeql.github.com/codeql-query-help/cpp/cpp-missing-check-scanf/
CERTC-ERR33-C