...
There are two notable differences between the compliant solution above and the secure versions from TR24731-1. First, the TR24731-1 versions use rsize_t instead of size_t. This allows the size to be compared against the reasonable limit for a single object, RSIZE_MAX. Second, the TR24731-1 versions do not require an element count for the second array. Consequently, these functions have limited ability to validate the input for s2. However, a size value for s1 is required, so memory outside of the range for s1 should not be overwritten.
Exceptions
API02-EX1: Functions that can guarantee via their runtime constraint handlers that no out-of-bounds read or write occurs may omit the maximum elements argument. For instance, the s2 parameter to strcat_s() needs no max parameter.
TR 24731-1, which will be an appendix in C1X, defines bounds-checking versions of standard C library string handling functions.
| Code Block | ||
|---|---|---|
| ||
errno_t strcat_s(char * restrict s1, rsize_t s1max, const char * restrict s2);
|
As another example, consider strcpy_s():
| Code Block | ||
|---|---|---|
| ||
errno_t strcpy_s(char * restrict s1, rsize_t s1max, const char * restrict s2);
|
This function provides no explicit maximum argument to s2. But it does require that s1max be larger than s2, thereby preventing an out-of-bounds read.
Risk Assessment
Failure to do so can result in buffer overflows in the program.
...