SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 42

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 43

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider (sch jbop) (X_X)@==(Q_Q)@

...

These functions truncate strings that exceed the specified limits. Additionally, some functions such as strncpy() do not guarantee that the resulting string is null NULL terminated STR32-C. Null-terminate byte strings as required.

...

The standard functions strncpy() and strncat() copy a specified number of characters n from a source string to a destination array. If there is no null NULL character in the first n characters of the source array, the result will not be null NULL terminated and any remaining characters are truncated.

...

Either the strcpy() or strncpy() function can be used to copy a string and a null NULL character to a destination buffer, provided there is enough space. Care must be taken to ensure that the destination buffer is large enough to hold the string to be copied and the null NULL byte to prevent errors such as data truncation and buffer overflow.

Code Block
bgColor#ccccff
char *string_data;
char a[16];

if (string_data == NULL) {
  /* Handle nullNULL pointer error */
}
else if (strlen(string_data) >= sizeof(a)) {
  /* Handle overlong string error */
}
else {
  strcpy(a, string_data);
}

It is assumed that string_data is null NULL terminated, that is, a null NULL byte can be found within the bounds of the referenced character array. Otherwise, strlen() will stray into other objects before finding a null NULL byte.

Compliant Solution (TR 24731-1)

Wiki Markup
The {{strcpy_s()}} function defined in \[[ISO/IEC TR 24731-1-2007|AA. C References#ISO/IEC TR 24731-1-2007]\] provides additional safeguards, including accepting the size of the destination buffer as an additional argument [STR07-A. Use TR 24731 for remediation of existing string manipulation code]. Also, {{strnlen_s()}} accepts a maximum-length argument for strings that may not be nullNULL terminated.

Code Block
bgColor#ccccff
char *string_data;
char a[16];

if (string_data == NULL) {
  /* Handle nullNULL pointer error */
}
else if (strnlen_s(string_data, sizeof(a)) >= sizeof(a)) {
  /* Handle overlong string error */
}
else {
  strcpy_s(a, sizeof(a), string_data);
}

...

STR03-EX1: The intent of the programmer is to intentionally truncate the nullNULL-terminated byte string.

Risk Assessment

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

STR03-A

1 ( low ) 1 (

unlikely )

2 ( medium )

P2

L3

Automated Detection

The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.

...