SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 11

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Upon return, functions should guarantee that any objects object returned by the function, or any modified value referenced by a pointer argument, is a valid object of function return type or argument type. Failure to do so can result in  Otherwise, type errors can occur in the program.

A good example is the null-terminated byte string type in C. If a string lacks the terminating null character, the program may be tricked into accessing storage after the string as legitimate data. This may cause a program to process  A program may, as a result, process a string that it should not process, which might be a security flaw in itself. It may also cause the program to abort, which might be a denial-of-service attack. Also note that the emphasis is not to produce unterminated strings.

This The emphasis of this rule is to avoid producing unterminated string; it does not address processing of already existing unterminated strings. However, by preventing the creation of unterminated strings, the need to process them is greatly lessened.

...

The standard strncpy() function does not guarantee that the resulting string is null-terminated [ISO/IEC 9899:19992011]. If there is no null character in the first n characters of the source array, the result may not be null-terminated.

Code Block
bgColor#FFcccc
langc

char *source;
char a[NTBS_SIZE];
/* ... */
if (source) {
  errno_t err = strncpy(a, source, 5);
  if (err != 0) {
    /* Handle error */
  }
}
else {
  /* handle NULL string condition */
}

...

The strncpy_s() function copies up to n characters from the source array to a destination array [TR 24731]. If no null character was copied from the source array, then the nth position in the destination array is set to a null character, guaranteeing that the resulting string is null-terminated.

Code Block
bgColor#ccccff
langc

char *source;
char a[NTBS_SIZE];
/* ... */
if (source) {
  errno_t err = strncpy_s(a, sizeof(a), source, 5);
  if (err != 0) {
    /* Handle error */
  }
}
else {
  /* handle NULL string condition */
}

Risk Assessment

Failure to do so can to enforce type safety can result in type errors in the program.

...

CERT C++ Secure Coding Standard: API07-CPP. Enforce type safety

ISO/IEC 9899:19992011 Section 7.2124, "String handling <string.h>"

ISO/IEC TR 24772 "CJM String Terminationtermination"

ISO/IEC TR 24731-1:2007 Section 6.7.1.4, "The strncpy_s function"

Bibliography

...