...
This noncompliant code example demonstrates what is commonly called an off-by-one error [Dowd 2006]. The loop copies data from src to dest. However, the null terminator may incorrectly be written one 1 byte past the end of dest because the loop does not account for the null-termination character that must be appended to dest.
...
Command-line arguments are passed to main() as pointers to null-terminated byte strings in the array members argv[0] through argv[argc-1]. If the value of argc is greater than zero0, the string pointed to by argv[0] is, by convention, the program name. If the value of argc is greater than one1, the strings referenced by argv[1] through argv[argc-1] are the actual program arguments.
...
Compliant Solution (argv) (memcpy())
The C standard Standard memcpy() function provides a similar capability to strcpy_s() but is universally available. Note that care must be taken to avoid assuming that argv[0] is non-null. Note also that memcpy must not be called with a null pointer even when the second (size) argument is zero0.
| Code Block | ||||
|---|---|---|---|---|
| ||||
int main(int argc, char *argv[]) {
/* Be prepared for argv[0] to be null */
const char* const name = argv[0] ? argv[0] : "";
char *prog_name;
size_t prog_size;
prog_size = strlen(name) + 1;
prog_name = (char *)malloc(prog_size);
if (prog_name != NULL) {
memcpy(prog_name, name, prog_size);
}
else {
/* Failed to allocate memory - recover */
}
/* ... */
}
|
...
The getenv() function searches an environment list, provided by the host environment, for a string that matches the string pointed to by name. The set of environment names and the method for altering the environment list are implementation-defined. Environment variables can be arbitrarily large, and copying them into fixed-length arrays without first determining the size and allocating adequate storage can result in a buffer overflow.
...
The buffer overflow can be prevented by providing a precision length to the %s specifier. The value 123 ensures that filename can contain the first 123 characters of name, the .txt extension, and the null terminator.
...
Tool | Version | Checker | Description | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Include Page | LDRA_V | LDRA_V |
|
| ||||||||||
Fortify SCA | V. 5.0 |
|
| |||||||||||
Splint | ||||||||||||||
| Include Page | Splint_V | Splint_V |
|
| Compass/ROSE |
|
| Can detect violations of the rule. However, it is unable to handle cases involving | ||||||
Fortify SCA | 5.0 |
|
| |||||||||||
|
|
| PRQA QA-C||||||||||||
| PRQA
| PRQA
|
| |||||||||||
| 0556 | Partially implemented |
Related Vulnerabilities
|
|
| |||||||
Splint |
|
|
|
Related Vulnerabilities
CVE-2009-1252 results from a violation of this rule. CVE-2009-1252 results from a violation of this rule. The Network Time Protocol (NTPdNTP), before versions 4.2.4p7 and 4.2.5p74, contained calls to sprintf that allow an attacker to execute arbitrary code by overflowing a character array [xorl 2009].
Search for additional vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
| and the null terminator | |
| ISO/IEC TR 17961 | (Draft) Using a tainted value to write to an object using a formatted input or output function [taintformatio] |
| ISO/IEC TR 24772 |
...
| String termination |
...
| [CJM] Buffer overflow in |
...
| heap [XYB] Buffer overflow in |
...
| stack [XYW] |
| MITRE CWE |
...
...
| Failure to constrain operations within the bounds of an allocated memory buffer |
...
...
...
| Buffer copy without checking size of input ("classic buffer overflow") |
...
...
...
| -193, |
...
| Off-by-one error |
...
Bibliography
| [Dowd 2006] | Chapter 7, "Program Building Blocks" ("Loop |
...
| Constructs," pp. |
...
| 327–336) | |
| [Seacord 2005a] | Chapter 2, "Strings" |
| [xorl 2009] | FreeBSD-SA-09:11: NTPd Remote Stack Based Buffer Overflows |
...