SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 113

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 114

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Copying data to a buffer that is not large enough to hold that data results in a buffer overflow. While not limited to null-terminated byte strings (NTBS), buffer overflows often occurs occur when manipulating NTBS data. To prevent such errors, limit copies either through truncation (see STR03-C. Do not inadvertently truncate a null-terminated byte string) or, preferably, ensure that the destination is of sufficient size to hold the character data to be copied and the null-termination character. (See guideline STR03-C. Do not inadvertently truncate a null-terminated byte string.)

Noncompliant Code Example (

...

Off-by-

...

One Error)

Wiki Markup
This noncompliant code example demonstrates what is commonly referred to as an _off-by-one_ error \[[Dowd 062006|AA. Bibliography#Dowd 06]\]. The loop copies data from {{src}} to {{dest}}. However, the null terminator may incorrectly be written one byte past the end of {{dest}} because the loop does not account for the null-termination character that must be appended to {{dest}}. 

Code Block
bgColor#FFCCCC
char dest[ARRAY_SIZE];
char src[ARRAY_SIZE];
size_t i;
/* ... */
for (i=0; src[i] && (i < sizeof(dest)); i++) {
  dest[i] = src[i];
}
dest[i] = '\0';
/* ... */

Compliant Solution (

...

Off-by-

...

One Error)

To correct this example, the loop termination condition must be modified to account for the null-termination character that is appended to dest.

...

Wiki Markup
The {{strcpy_s()}} function provides additional safeguards, including accepting the size of the destination buffer as an additional argument. (seeSee guideline [STR07-C. Use TR 24731 for remediation of existing string manipulation code|STR07-C. Use TR 24731 for remediation of existing string manipulation code]).].) Note that care must be taken to avoid assuming that {{argv\[0\]}} is non-null.

...

Environmental variables are loaded into process memory when the program is loaded. As a result, the length of these null-terminated byte strings can be determined by calling the strlen() function, and the resulting length can be used to allocate adequate dynamic memory:

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

STR31-C

high

likely

medium

P18

L1

Automated Detection

...

Tool

Version

Checker

Description

Section

LDRA tool suite

...

Fortify SCA Version 5.0 can detect violations of this rule.

Splint Version 3.1.1 can detect violations of this rule.

...

Include Page
c:LDRA_V
c:LDRA_V

 

 

Section

Fortify SCA

Section

V. 5.0

 

 

Section

Splint

Include Page
c:Splint_V
c:Splint_V

 

 

Section

Compass/ROSE

 

 

Section

can detect violations of the rule. However, it is unable to handle cases involving strcpy_s() or manual string copies such as the one in the first example

...

Section

Klocwork

Include Page
c:Klocwork_V
c:Klocwork_V

 

 

Related Vulnerabilities

Wiki Markup
[CVE-2009-1252|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1252] results from a violation of this rule. The Network Time Protocol (NTPd), before versions 4.2.4p7 and 4.2.5p74, contained calls to sprintf that allow an attacker to execute arbitrary code by overflowing a character array \[[xorl 2009|http://xorl.wordpress.com/2009/06/10/freebsd-sa-0911-ntpd-remote-stack-based-buffer-overflows/]\].

Search for additional vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

This rule appears in the C++ Secure Coding Standard as : STR31-CPP. Guarantee that storage for character arrays has sufficient space for character data and the null terminator.

Bibliography

Wiki Markup
\[[Dowd 062006|AA. Bibliography#Dowd 06]\] Chapter 7, "Program Building Blocks" (Loop Constructs 327-336)
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 7.1.1, "Definitions of terms," Section 7.21, "String handling <string.h>," Section 5.1.2.2.1, "Program startup," and Section 7.20.4.5, "The getenv function"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "CJM String Termination," "XYW Buffer Overflow in Stack", and "XYB Buffer Overflow in Heap"
\[[MITRE|AA. Bibliography#MITRE]\] [CWE ID 119|http://cwe.mitre.org/data/definitions/119.html], "Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer"
\[MITRE\] [CWE ID 120|http://cwe.mitre.org/data/definitions/120.html], "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"
\[MITRE\] [CWE ID 193|http://cwe.mitre.org/data/definitions/193.html], "Off-by-one Error"
\[[Seacord 05a2005a|AA. Bibliography#Seacord 05]\] Chapter 2, "Strings"
\[[xorl 2009|AA. Bibliography#xorl 2009]\] ["FreeBSD-SA-09:11: NTPd Remote Stack Based Buffer Overflows"|http://xorl.wordpress.com/2009/06/10/freebsd-sa-0911-ntpd-remote-stack-based-buffer-overflows/]

...