ISO/IEC TR 24731 The C11 Annex K bounds-checking interfaces defines alternative versions of C standard string handling functions that are designed to be safer replacements for existing functions. For example, ISO/IEC TR 24731 Part I (24731-1) C11 Annex K defines the strcpy_s(), strcat_s(), strncpy_s(), and strncat_s() functions as replacements for strcpy(), strcat(), strncpy(), and strncat(), respectively.
The ISO/IEC TR 24731-1 C11 Annex K functions were created by Microsoft to help retrofit its existing, legacy code base in response to numerous, well-publicized security incidents over the past decade. These functions were subsequently proposed to the international standardization working group for the programming language C (ISO/IEC JTC1/SC22/WG14) for standardization.
...
The signature is similar to strcpy() but takes an extra argument of type rsize_t that specifies the maximum length of the destination buffer. Functions that accept parameters of type rsize_t diagnose a constraint violation, if the values of those parameters are greater than RSIZE_MAX. Extremely large object sizes are frequently a sign that an object's size was calculated incorrectly. For example, negative numbers appear as very large positive numbers when converted to an unsigned type like size_t. For those reasons, it is sometimes beneficial to restrict the range of object sizes to detect errors. For machines with large address spaces, ISO/IEC TR 24731-1 C11 Annex K recommends that RSIZE_MAX be defined as the smaller of the size of the largest object supported or (SIZE_MAX >> 1), even if this limit is smaller than the size of some legitimate, but very large, objects. See also recommendation INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.
...
| Wiki Markup |
|---|
However, the call to copy {{src2}} to {{dst2}} fails because there is insufficient space available to copy the entire string, which consists of eight characters, to the destination buffer. As a result, {{r2}} is assigned a nonzero value and {{dst2\[0\]}} is set to the null character. |
Users of the ISO/IEC TR 24731-1 C11 Annex K functions are less likely to introduce a security flaw because the size of the destination buffer and the maximum number of characters to append must be specified. ISO/IEC TR 24731 Part II (24731-2, in progress) will offer another approach, supplying functions that allocate enough memory for their results. ISO/IEC TR 24731 functions also ensure null termination of the destination string.
ISO/IEC TR 24731-1 functions are still capable of overflowing a buffer if the maximum length of the destination buffer and number of characters to copy are incorrectly specified. ISO/IEC TR 24731-2 functions can make it more difficult to keep track of memory that must be freed, leading to memory leaks. As a result, the ISO/IEC TR 24731 functions are not particularly secure but may be useful in preventive maintenance to reduce the likelihood of vulnerabilities in an existing legacy code base.
Noncompliant Code Example
The following noncompliant code overflows its buffer if msg is too long, and has undefined behavior if msg is a null pointer.
| Code Block | ||||
|---|---|---|---|---|
| ||||
void complain(const char *msg) {
static const char prefix[] = "Error: ";
static const char suffix[] = "\n";
char buf[BUFSIZ];
strcpy(buf, prefix);
strcat(buf, msg);
strcat(buf, suffix);
fputs(buf, stderr);
}
|
Compliant Solution (Run Time)
The following compliant solution will not overflow its buffer.
| Code Block | ||||
|---|---|---|---|---|
| ||||
void complain(const char *msg) {
errno_t err;
static const char prefix[] = "Error: ";
static const char suffix[] = "\n";
char buf[BUFSIZ];
err = strcpy_s(buf, sizeof(buf), prefix);
if (err != 0) {
/* handle error */
}
err = strcat_s(buf, sizeof(buf), msg);
if (err != 0) {
/* handle error */
}
err = strcat_s(buf, sizeof(buf), suffix);
if (err != 0) {
/* handle error */
}
fputs(buf, stderr);
}
|
Compliant Solution (Partial Compile Time)
The following compliant solution performs some of the checking at compile time using a static assertion. (See recommendation DCL03-C. Use a static assertion to test the value of a constant expression.)
| Code Block | ||||
|---|---|---|---|---|
| ||||
void complain(const char *msg) {
errno_t err;
static const char prefix[] = "Error: ";
static const char suffix[] = "\n";
char buf[BUFSIZ];
/* Ensure that more than one character
* is available for msg. */
static_assert(sizeof(buf) > sizeof(prefix) + sizeof(suffix),
"Buffer for complain() is too small");
strcpy(buf, prefix);
err = strcat_s(buf, sizeof(buf), msg);
if (err != 0) {
/* handle error */
}
err = strcat_s(buf, sizeof(buf), suffix);
if (err != 0) {
/* handle error */
}
fputs(buf, stderr);
}
|
Risk Assessment
String handling functions defined in C99, Section 7.21 and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Proper use of TR 24731 functions can eliminate the majority of these issues.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
STR07-C | high | probable | medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC 9899:1999 Section 7.21, "String handling <string.h>"
ISO/IEC TR 24772 "TRJ Use of Libraries"
Bibliography
| Wiki Markup |
|---|
\[[Seacord 2005a|AA. Bibliography#Seacord 05a]\] Chapter 2, "Strings" \[[Seacord 2005b|AA. Bibliography#Seacord 05b]\] |
...