Non-compliant Code Example 1
These two lines of code assume that gets()
will not read more than BUFSIZ
characters from stdin
. This is an invalid assumption and the resulting operation can result in a buffer overflow.
Code Block |
---|
char buf[BUFSIZ + 1]; gets(buf); |
Non-compliant Code Example 2
The standard function strncpy()
and strncat()
do not guarantee that the resulting string is null terminated. If there is no null character in the first n characters of the source array pointed the result is not be null-terminated as in the following example:
Code Block |
---|
char a[16]; strncpy(a, "0123456789abcdef", sizeof(a)); |
Compliant Solution 1
The correct solution depends on the original intent. If your intent was to truncate a string but ensure that the
result was a null-terminated string the following solution can be used.
Code Block |
---|
char a[16]; strncpy(a, "0123456789abcdef", sizeof(a)-1); a[sizeof(a)] = '\0'; |
Compliant Solution 2
Example using strcpy()
Compliant Solution 3
Example using strncpy_s()
Exception
An exception to this rule applies if the intent of the programmer was to convert a null-terminated byte string to a character array. To be compliant with this standard, this intent must be made clear statement in comments.
References
- ISO/IEC 9899-1999 7.21.2.4 The strncpy function
- ISO/IEC 9899-1999 7.21.3.2 The strncat function
- SAMATE Reference Dataset Test Case ID 000-000-004