SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 66

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 67

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ISO/IEC TR 24731-1 functions are still capable of overflowing a buffer if the maximum length of the destination buffer and number of characters to copy are incorrectly specified. ISO/IEC TR 24731-2 functions can make it more difficult to keep track of memory that must be freed, leading to memory leaks. As a result, the ISO/IEC TR 24731 functions are not particularly secure but may be useful in preventive maintenance to reduce the likelihood of vulnerabilities in an existing legacy code base.

Noncompliant Code Example

The following noncompliant code overflows its buffer if msg is too long, and has undefined behavior if msg is a null pointer.

Code Block
bgColor#FFCCCC
langc
void complain(const char *msg) {
  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFSIZ];

  strcpy(buf, prefix);
  strcat(buf, msg);
  strcat(buf, suffix);
  fputs(buf, stderr);
}

Compliant Solution (Run Time)

The following compliant solution will not overflow its buffer.

Code Block
bgColor#ccccff
langc
void complain(const char *msg) {
  errno_t err;
  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFSIZ];

  err = strcpy_s(buf, sizeof(buf), prefix);
  if (err != 0) {
    /* handle error */
  }

  err = strcat_s(buf, sizeof(buf), msg);
  if (err != 0) {
    /* handle error */
  }

  err = strcat_s(buf, sizeof(buf), suffix);
  if (err != 0) {
    /* handle error */
  }

  fputs(buf, stderr);
}

Compliant Solution (Partial Compile Time)

The following compliant solution performs some of the checking at compile time using a static assertion. (See recommendation DCL03-C. Use a static assertion to test the value of a constant expression.)

Code Block
bgColor#ccccff
langc
void complain(const char *msg) {
  errno_t err;
  static const char prefix[] = "Error: ";
  static const char suffix[] = "\n";
  char buf[BUFSIZ];

  /* Ensure that more than one character
   * is available for msg. */
  static_assert(sizeof(buf) > sizeof(prefix) + sizeof(suffix),
                "Buffer for complain() is too small");
  strcpy(buf, prefix);

  err = strcat_s(buf, sizeof(buf), msg);
  if (err != 0) {
    /* handle error */
  }

  err = strcat_s(buf, sizeof(buf), suffix);
  if (err != 0) {
    /* handle error */
  }
  fputs(buf, stderr);
}

Risk Assessment

String handling functions defined in C99, Section 7.21 and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Proper use of TR 24731 functions can eliminate the majority of these issues.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

STR07-C

high

probable

medium

P12

L1

Automated Detection

Tool

Version

Checker

Description

Section

LDRA tool suite

Include Page
c:LDRA_V
c:LDRA_V

 

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

ISO/IEC 9899:1999 Section 7.21, "String handling <string.h>"

ISO/IEC TR 24772 "TRJ Use of Libraries"

ISO/IEC TR 24731-1:2007

Bibliography

Wiki Markup
\[[Seacord 2005a|AA. Bibliography#Seacord 05a]\] Chapter 2, "Strings"
\[[Seacord 2005b|AA. Bibliography#Seacord 05b]\]

...