SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 77

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 78

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

These functions truncate strings that exceed the specified limits. Additionally, some functions such as strncpy() do not guarantee that the resulting string is null-terminated. (See rule STR32-C. Null-terminate byte strings as required.)

Unintentional truncation results in a loss of data and , in some cases , leads to software vulnerabilities.

...

The standard functions strncpy() and strncat() copy a specified number of characters n from a source string to a destination array. In the case of strncpy(), if there is no null character in the first n characters of the source array, the result will not be null-terminated and any remaining characters are truncated.

Code Block
bgColor#FFcccc
langc

char *string_data;
char a[16];
/* ... */
strncpy(a, string_data, sizeof(a));

...

Code Block
bgColor#ccccff
langc

char *string_data = NULL;
char a[16];

/* ... */

if (string_data == NULL) {
  /* Handle null pointer error */
}
else if (strlen(string_data) >= sizeof(a)) {
  /* Handle overlong string error */
}
else {
  strcpy(a, string_data);
}

...

The strcpy_s() function defined in Extensions to the C Library—Part I [ISO/IEC TR 24731-1:2007] provides , which provides additional safeguards, including accepting the size of the destination buffer as an additional argument. (See recommendation STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code.) Also strnlen_s() accepts a maximum-length argument for strings that may not be null-terminated.

Code Block
bgColor#ccccff
langc

char *string_data = NULL;
char a[16];

/* ... */

if (string_data == NULL) {
  /* Handle null pointer error */
}
else if (strnlen_s(string_data, sizeof(a)) >= sizeof(a)) {
  /* Handle overlong string error */
}
else {
  strcpy_s(a, sizeof(a), string_data);
}

If a runtime-constraint error is detected by either the call to strnlen_s() or strcpy_s(), the currently registered runtime-constraint handler is invoked. See recommendation ERR03-C. Use runtime-constraint handlers when calling the bounds-checking interfaces for more information on using runtime-constraint handlers with TR 24731-1 functions.

...

LDRA tool suite

115 S

section

can

Can detect violations of this rule with CERT C Rule Pack.

Compass/ROSE

could

Could detect violations in the following manner:

All

all calls to strncpy() and the other functions should be

follwed

followed by an assignment of a terminating character to null-terminate the string

section

.

Tool

Version

Checker

Description

Section
Include Page
LDRA_V
LDRA_V
Section

Fully

Implemented section

implemented.

Fortify SCA

section

V. 5.0

 

Section
Section

 

 

Section

Klocwork

Include Page
Klocwork_V
Klocwork_V
section

NNTS

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

CERT C++ Secure Coding Standard: STR03-CPP. Do not inadvertently truncate a null-terminated character array

ISO/IEC 9899:19992011 Section 7.2124, "String handling <string.h>"

ISO/IEC TR 24772 "CJM String Terminationtermination"

ISO/IEC TR 24731-1:2007

MITRE CWE: CWE-170, "Improper Null Terminationnull termination"

MITRE CWE: CWE-464, "Addition of Data Structure Sentineldata structure sentinel"

Bibliography

[Seacord 2005a] Chapter 2, "Strings"

...