Copying data to a buffer that is not large enough to hold that data results in a buffer overflow. While not limited to null-terminated byte strings (NTBS), buffer overflows often occur when manipulating NTBS data. To prevent such errors, limit copies either through truncation or, preferably, ensure that the destination is of sufficient size to hold the character data to be copied and the null-termination character. (See guideline recommendation STR03-C. Do not inadvertently truncate a null-terminated byte string.)
...
| Wiki Markup |
|---|
Command-line arguments are passed to {{main()}} as pointers to null-terminated byte strings in the array members {{argv\[0\]}} through {{argv\[argc-1\]}}. If the value of {{argc}} is greater than zero, the string pointed to by {{argv\[0\]}} is, by convention, the program name. If the value of {{argc}} is greater than one, the strings referenced by {{argv\[1\]}} through {{argv\[argc-1\]}} are the actual program arguments. |
| Wiki Markup |
|---|
The parameters {{argc}} and {{argv}} and the strings pointed to by the {{argv}} array are not modifiable by the program and retain their last-stored values between program startup and program termination. This requires that a copy of these parameters be made before the strings can be modified. Vulnerabilities can occur when inadequate space is allocated to copy a command-line argument. In this noncompliant code example, the contents of {{argv\[0\]}} can be manipulated by an attacker to cause a buffer overflow: |
...
| Wiki Markup |
|---|
The {{strcpy_s()}} function provides additional safeguards, including accepting the size of the destination buffer as an additional argument. (See guidelinerecommendation [STR07-C. Use TR 24731 for remediation of existing string manipulation code].) NoteDo that care must be taken to avoid assumingnot assume that {{argv\[0\]}} is non-null. |
...
The memcpy() function differs from strcpy_s() in that it never returns an error. The memcpy() function returns a pointer to the destination string (that is, its first argument). However, memcpy() does not validate that the destination pointer has enough space for the memory being copied , and cannot be used if the source and destination strings overlap.
...
| Wiki Markup |
|---|
If an argument is not going to be modified or concatenated, there is no reason to make a copy of the string. Not copying a string is the best way to prevent a buffer overflow, and is also the most efficient solution. Note that care must be taken to avoid assuming that {{argv\[0\]}} is non-null. |
...
Search for additional vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard: STR31-CPP. Guarantee that storage for character arrays has sufficient space for character data and the null terminator
Bibliography
Wiki Markup
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] TR 24772 "CJM String Termination," "XYW Buffer Overflow in Stack", and "XYB Buffer Overflow in Heap"
MITRE CWE: CWE-119, "Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer"
MITRE CWE: CWE-120, "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"
MITRE CWE: CWE-193, "Off-by-one Error"
Bibliography
| Wiki Markup |
|---|
\[[Dowd 2006|AA. Bibliography#Dowd 06]\] Chapter 7, "Program Building Blocks" (Loop Constructs 327-336) \[[MITRE|AA. Bibliography#MITRE]\] [CWE ID 119|http://cwe.mitre.org/data/definitions/119.html], "Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer" \[MITRE\] [CWE ID 120|http://cwe.mitre.org/data/definitions/120.html], "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')" \[MITRE\] [CWE ID 193|http://cwe.mitre.org/data/definitions/193.html], "Off-by-one Error" \[[Seacord 2005a|AA. Bibliography#Seacord 05]\] Chapter 2, "Strings" \[[xorl 2009|AA. Bibliography#xorl 2009]\] ["FreeBSD-SA-09:11: NTPd Remote Stack Based Buffer Overflows"|http://xorl.wordpress.com/2009/06/10/freebsd-sa-0911-ntpd-remote-stack-based-buffer-overflows/] |
...