The %s format specifier is used to read a string into a buffer. If the input string exceeds the size of this buffer, a buffer overflow
can occur.
Why is this an issue?
By default, there is no limit on the length of the string being read. The scanf family of functions will continue to read characters
into the buffer until they encounter a whitespace character.
If the input contains a string that is long enough and lacks whitespace characters, it can result in memory beyond the end of the buffer being
overwritten. This situation is known as a buffer overflow vulnerability.
What is the potential impact?
An attacker could exploit this vulnerability to overwrite memory used by the application. This could result in the modification of application
data, unexpected behavior, or even cause the application to become unstable or crash. In some cases, the attacker might also gain control over the
execution flow of the application, leading to arbitrary code execution.
How to fix it
A field width can be used together with the %s format specifier. This places an upper limit on the number of characters that will be
read into the buffer.
Note that the %s format specifier always null-terminates the string in the buffer. You will need to ensure that the buffer is large
enough to hold the required input and the null terminator.
Code examples
Noncompliant code example
char buffer[10];
scanf("%s", buffer); // Noncompliant
If this code is given the word noncompliant as an input, noncomplia will be stored in buffer and
nt␀ will overwrite the contents of the memory immediately following buffer.
Compliant solution
char buffer[10];
scanf("%9s", buffer);
If this code is given the word noncompliant as an input, noncompli␀ will be stored in buffer.
Resources
Articles & blog posts
Standards
