Copying data in to a buffer that is not large enough to hold that data results in a buffer overflow. While not limited to Null Terminated Byte Strings (NTBS), this type of error often occurs when manipulating NTBS data. To prevent such errors, limit copies either through truncation (although consult STR03-A. Do not inadvertently truncate a null terminated byte string for problems that may cause) or, preferably, ensure that the destination is of sufficient size to hold the character data to be copied and the null-termination character.
Include Page |
---|
| c:STR31 NCCE strcpy |
---|
| c:STR31 NCCE strcpy |
---|
|
Include Page |
---|
| c:STR31 CS strcpy |
---|
| c:STR31 CS strcpy |
---|
|
Include Page |
---|
| c:STR31 CS 1 strcpy_s |
---|
| c:STR31 CS 1 strcpy_s |
---|
|
Include Page |
---|
| c:STR31 NCCE off-by-1 |
---|
| c:STR31 NCCE off-by-1 |
---|
|
Include Page |
---|
| c:STR31 CS off-by-1 |
---|
| c:STR31 CS off-by-1 |
---|
|
Include Page |
---|
| c:STR31 NCCE 2 getenv |
---|
| c:STR31 NCCE 2 getenv |
---|
|
Include Page |
---|
| c:STR31 CS 2 getenv |
---|
| c:STR31 CS 2 getenv |
---|
|
Risk Assessment
Copying data to a buffer that is too small to hold that data results in a buffer overflow. Attackers can use this to execute arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|
STR31-C | 3 (medium) | 3 (probable) | 2 (medium) | P18 | L1 |
References
Wiki Markup |
---|
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 7, "Program Building Blocks" (Loop Constructs 327-336)
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Sections 7.1.1 Definitions of terms, Section 7.21 String handling <string.h>, 5.1.2.2.1 Program startup, 7.20.4.5 The getenv function
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 2 Strings
\[[VU#196240|http://www.kb.cert.org/vulnotes/id/196240]\], [More|http://www.kb.cert.org/vulnotes/byid?searchview&query=cert-seccode:STR31-C] |