[metadata]
id = "CON33-C"
type = "recommendation"
category = "CON"
number = 33
title = "Avoid race conditions when using library functions"
description = """
Some C standard library functions are not guaranteed to bereentrantwith respect
to threads. Functions such asstrtok()andasctime()return a pointer to the result
stored in function-allocated memory on a per-process basis. Other functions such
asrand()store state information in function-allocated memory on a per-process
basis. Multiple threads invoking the same function can cause concurrency
problems, which often result inabnormal behaviorand can cause more
seriousvulnerabilities, such asabnormal termination,denial-of-service attack,
and data integrity violations. According to the C Standard, the library
functions listed in the following table may contain data races when invoked by
multiple threads. FunctionsRemediationrand(),srand()MSC30-C. Do not use the
rand() function for generating pseudorandom numbersgetenv()ENV34-C. Do not store
pointers returned by certain functionsstrtok()strtok_r()in
POSIXstrerror()strerror_r()in
POSIXasctime(),ctime(),localtime(),gmtime()strftime()setlocale()Protect
multithreaded access to locale-specific functions with a
mutexATOMIC_VAR_INIT,atomic_init()Do not attempt to initialize an atomic
variable from multiple threadstmpnam()tmpnam_r()in
POSIXmbrtoc16(),c16rtomb(),mbrtoc32(),c32rtomb()Do not call with a nullmbstate_t
*argument
"""
severity = "Medium"
likelihood = "Probable"
priority = "P4"
level = "L3"
cert_version = "2016 Edition (Wiki)"
last_modified = "Oct 31, 2025"
[rules.cert_c.CON33-C]
enabled = true
[references]
wiki = "https://wiki.sei.cmu.edu/confluence/display/c/CON33-C.+Avoid+race+conditions+when+using+library+functions"
cwe = ["CWE-330", "CWE-377", "CWE-676"]