CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.0)  
Search by ID:

CWE-242: Use of Inherently Dangerous Function

Individual Definition in a New Window
Use of Inherently Dangerous Function
Status: Draft
Weakness ID: 242 (Weakness Base)
Description
Summary

The program calls a function that can never be guaranteed to work safely.

Likelihood of Exploit

High

Weakness Ordinalities
Primary (where the weakness exists independent of other weaknesses)
Causal Nature
Explicit (an explicit weakness resulting from behavior of the developer)
Potential Mitigations

Ban the use of dangerous function. Use their safe equivalent.

Use grep or static analysis tools to spot usage of dangerous functions.

Demonstrative Examples

The excerpt below calls the gets() function in C, which is inherently unsafe.

C Example:
char buf[BUFSIZE];
gets(buf);
Other Notes

Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. The > operator is unsafe to use when reading into a character buffer because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the > operator and overflow the destination buffer.

Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness ClassWeakness Class710Coding Standards Violation
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness ClassWeakness Class227Failure to Fulfill API Contract (aka 'API Abuse')
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
RequiredByCompound Element: CompositeCompound Element: Composite120Unbounded Transfer ('Classic Buffer Overflow')
Research Concepts1000
Taxonomy Mappings
Mapped Taxonomy NameMapped Node Name
7 Pernicious KingdomsDangerous Functions
Applicable Platforms
Languages
C
C++
Time of Introduction
* Implementation
Content History
Submissions
7 Pernicious Kingdoms. (Externally Mined)
Modifications
Sean Eidemiller. Cigital. 2008-07-01. (External)
added/updated demonstrative examples
Eric Dalci. Cigital. 2008-07-01. (External)
updated Potential_Mitigations
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Type, Weakness_Ordinalities
Previous Entry Names
* Dangerous Functions (changed 2008-01-30)
* Use of Inherently Dangerous Functions (changed 2008-04-11)
Page Last Updated: September 10, 2008