Obsolete routines can cause security vulnerabilities and portability issues
This defect occurs when you use standard function routines that are considered legacy, removed, deprecated, or obsolete by C/C++ coding standards.
| Obsolete Function | Standards | Risk | Replacement Function |
|---|---|---|---|
asctime | Deprecated in POSIX.1-2008 | Not thread-safe. | strftime or asctime_s |
asctime_r | Deprecated in POSIX.1-2008 | Implementation based on unsafe
function sprintf. | strftime or asctime_s |
bcmp | Deprecated in 4.3BSD Marked as legacy in POSIX.1-2001. | Returns from function after finding the first differing byte, making it vulnerable to timing attacks. | memcmp |
bcopy | Deprecated in 4.3BSD Marked as legacy in POSIX.1-2001. | Returns from function after finding the first differing byte, making it vulnerable to timing attacks. | memcpy or memmove |
brk and sbrk | Marked as legacy in SUSv2 and POSIX.1-2001. | malloc | |
bsd_signal | Removed in POSIX.1-2008 | sigaction | |
bzero | Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. | memset | |
ctime | Deprecated in POSIX.1-2008 | Not thread-safe. | strftime or asctime_s |
ctime_r | Deprecated in POSIX.1-2008 | Implementation based on unsafe
function sprintf. | strftime or asctime_s |
cuserid | Removed in POSIX.1-2001. | Not reentrant. Precise functionality not standardized causing portability issues. | getpwuid |
ecvt and fcvt | Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008 | Not reentrant | snprintf |
ecvt_r and fcvt_r | Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008 | snprintf | |
ftime | Removed in POSIX.1-2008 | time, gettimeofday, clock_gettime | |
gamma, gammaf, gammal | Function not specified in any standard because of historical variations | Portability issues. | tgamma, lgamma |
gcvt | Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. | snprintf | |
getcontext | Removed in POSIX.1-2008. | Portability issues. | Use POSIX thread instead. |
getdtablesize | BSD API function not included in POSIX.1-2001 | Portability issues. | sysconf( _SC_OPEN_MAX ) |
gethostbyaddr | Removed in POSIX.1-2008 | Not reentrant | getaddrinfo |
gethostbyname | Removed in POSIX.1-2008 | Not reentrant | getnameinfo |
getpagesize | BSD API function not included in POSIX.1-2001 | Portability issues. | sysconf( _SC_PAGESIZE ) |
getpass | Removed in POSIX.1-2001. | Not reentrant. | getpwuid |
getw | Not present in POSIX.1-2001. | fread | |
getwd | Marked legacy in POSIX.1-2001. Removed in POSIX.1-2008. | getcwd | |
index | Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. | strchr | |
makecontext | Removed in POSIX.1-2008. | Portability issues. | Use POSIX thread instead. |
memalign | Appears in SunOS 4.1.3. Not in 4.4 BSD or POSIX.1-2001 | posix_memalign | |
mktemp | Removed in POSIX.1-2008. | Generated names are predictable and can cause a race condition. | mkstemp removes race risk |
pthread_attr_getstackaddr and pthread_attr_setstackaddr | Ambiguities in the specification of the stackaddr attribute
cause portability issues | pthread_attr_getstack and pthread_attr_setstack | |
putw | Not present in POSIX.1-2001. | Portability issues. | fwrite |
qecvt and qfcvt | Marked as legacy in POSIX.1-2001, removed in POSIX.1-2008 | snprintf | |
qecvt_r and qfcvt_r | Marked as legacy in POSIX.1-2001, removed in POSIX.1-2008 | snprintf | |
rand_r | Marked as obsolete in POSIX.1-2008 | ||
re_comp | BSD API function | Portability issues | regcomp |
re_exes | BSD API function | Portability issues | regexec |
rindex | Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. | strrchr | |
scalb | Removed in POSIX.1-2008 | scalbln, scalblnf, or scalblnl | |
sigblock | 4.3BSD signal API whose origin is unclear | sigprocmask | |
sigmask | 4.3BSD signal API whose origin is unclear | sigprocmask | |
sigsetmask | 4.3BSD signal API whose origin is unclear | sigprocmask | |
sigstack | Interface is obsolete and not implemented on most platforms. | Portability issues. | sigaltstack |
sigvec | 4.3BSD signal API whose origin is unclear | sigaction | |
swapcontext | Removed in POSIX.1-2008 | Portability issues. | Use POSIX threads. |
tmpnam and tmpnam_r | Marked as obsolete in POSIX.1-2008. | This function generates a different string each time it is called, up to TMP_MAX times. If it is called more than TMP_MAX times, the behavior is implementation-defined. | mkstemp, tmpfile |
ttyslot | Removed in POSIX.1-2001. | ||
ualarm | Marked as legacy in POSIX.1-2001. Removed in POSIX.1-2008. | Errors are under-specified | setitimer or POSIX timer_create |
usleep | Removed in POSIX.1-2008. | nanosleep | |
utime | SVr4, POSIX.1-2001. POSIX.1-2008 marks as obsolete. | ||
valloc | Marked as obsolete in 4.3BSD. Marked as legacy in SUSv2. Removed from POSIX.1-2001 | posix_memalign | |
vfork | Removed from POSIX.1-2008 | Under-specified in previous standards. | fork |
wcswcs | This function was not included in the final ISO/IEC 9899:1990/Amendment 1:1995 (E). | wcsstr | |
WinExec | WinAPI provides this function only for 16-bit Windows compatibility. | CreateProcess | |
LoadModule | WinAPI provides this function only for 16-bit Windows compatibility. | CreateProcess |
The fix depends on the root cause of the defect. Often the result details show a sequence of events that led to the defect. You can implement the fix on any event in the sequence. If the result details do not show the event history, you can trace back using right-click options in the source code and see previous related events. See also Interpret Bug Finder Results in Polyspace Desktop User Interface.
See examples of fixes below.
If you do not want to fix the issue, add comments to your result or code to avoid another review. See Address Polyspace Results Through Bug Fixes or Justifications.
| Group: Security |
| Language: C | C++ |
| Default: Off |
Command-Line Syntax: OBSOLETE_STD_FUNC |
| Impact: Low |
| CWE ID: 474, 477 |
| Tags: #deprecatedFunctions |
Find defects (-checkers) | Invalid use of standard library string routine | Unsafe standard function | Use of dangerous standard function