...
This noncompliant code example demonstrates what is commonly called an off-by-one error [Dowd 2006]. The loop copies data from src to dest. However, the null terminator may incorrectly be written one byte past the end of dest because the loop does not account for the null-termination character that must be appended to dest.
...
The getenv() function searches an environment list, provided by the host environment, for a string that matches the string pointed to by name. The set of environment names and the method for altering the environment list are implementation-defined. Environment variables can be arbitrarily large, and copying them into fixed-length arrays without first determining the size and allocating adequate storage can result in a buffer overflow.
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
|
|
| |||||||
Fortify SCA | V. 5.0 |
|
| ||||||
Splint |
|
|
| ||||||
Compass/ROSE |
|
| Can detect violations of the rule. However, it is unable to handle cases involving | ||||||
|
|
| |||||||
| PRQA QA-C |
| 0556 | Partially implemented |
Related Vulnerabilities
...
ISO/IEC TR 17961 (Draft) Using a tainted value to write to an object using a formatted input or output function [taintformatio]
ISO/IEC TR 24772 "CJM String termination," "XYW Buffer overflow in stack," and "XYB Buffer overflow in heap"
...
MITRE CWE: CWE-193, "Off-by-one error"
Bibliography
[Dowd 2006] Chapter 7, "Program Building Blocks" ("Loop constructs," pp. 327–336)
[Seacord 2005a] Chapter 2, "Strings"
[xorl 2009] FreeBSD-SA-09:11: NTPd Remote Stack Based Buffer Overflows
...