SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 74

changes.mady.by.user Jill Britton

Saved on

compared with

New Version 75

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The C11 Annex K (normative), "Bounds-checking interfaces" [ISO/IEC 9899:2011], defines alternative versions of standard string-handling functions designed to be safer replacements for existing functions. For example, C11 Annex K  it defines the strcpy_s(), strcat_s(), strncpy_s(), and strncat_s() functions as replacements for strcpy(), strcat(), strncpy(), and strncat(), respectively.

...

The semantics of strcpy_s() are similar to the semantics of strcpy(). When there are no input validation errors, the strcpy_s() function copies characters from a source string to a destination character array up to and including the terminating null character. The function returns zero returns 0 on success.

The strcpy_s() function succeeds only when the source string can be fully copied to the destination without overflowing the destination buffer. Specifically, the following checks are made:

  • The source and destination pointers are checked to see if they are NULL.
  • The maximum length of the destination buffer is checked to see if it is equal to zero0, greater than RSIZE_MAX, or less than or equal to the length of the source string.
  • Copying is not allowed between objects that overlap.

When a runtime-constraint violation is detected, the destination string is set to the null string (as long as it is not a null pointer, and the maximum length of the destination buffer is greater than zero than 0 and not greater than RSIZE_MAX), and the function returns a nonzero value. In the following example, the strcpy_s() function is used to copy src1 to dst1.

...

Users of the C11 Annex K functions are less likely to introduce a security flaw because the size of the destination buffer and the maximum number of characters to append must be specified. ISO/IEC TR 24731 Part II [ISO/IEC TR 24731-2:2010] offers another approach, supplying functions that allocate enough memory for their results. ISO/IEC TR 24731 functions also ensure null termination of the destination string.

...

String-handling functions defined in the C standardStandard, Section 7.24 [ISO/IEC 9899:2011], and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Proper use of TR 24731 functions can eliminate most of these issues.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

ISO/IEC

...

TR 24731-1:2007 
ISO/IEC TR 24731-2:2010 
ISO/IEC TR 24772

...

Use of libraries

...

[TRJ]

Bibliography

[Seacord 2005a]Chapter 2, "Strings"
[Seacord 2005b] 

 

...