Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This noncompliant code example demonstrates what is commonly called an off-by-one error [Dowd 2006]. The loop copies data from src to dest. However, the null terminator may incorrectly be written one byte past the end of dest because the loop does not account for the null-termination character that must be appended to dest.

...

The getenv() function searches an environment list, provided by the host environment, for a string that matches the string pointed to by name. The set of environment names and the method for altering the environment list are implementation-defined. Environment variables can be arbitrarily large, and copying them into fixed-length arrays without first determining the size and allocating adequate storage can result in a buffer overflow.

...

Tool

Version

Checker

Description

LDRA tool suite

Include Page
LDRA_V
LDRA_V

 

 

Fortify SCA

V. 5.0

 

 

Splint

Include Page
Splint_V
Splint_V

 

 

Compass/ROSE

 

 

Can detect violations of the rule. However, it is unable to handle cases involving strcpy_s() or manual string copies such as the one in the first example.

Klocwork

Include Page
Klocwork_V
Klocwork_V

 

 

PRQA QA·CQA-C
Include Page
PRQA_V
PRQA_V
 Partially implemented

...

ISO/IEC TR 17961 (Draft) Using a tainted value to write to an object using a formatted input or output function [taintformatio]

ISO/IEC TR 24772 "CJM String termination," "XYW Buffer overflow in stack," and "XYB Buffer overflow in heap"

...

MITRE CWE: CWE-193, "Off-by-one error"

Bibliography

[Dowd 2006] Chapter 7, "Program Building Blocks" ("Loop constructs," pp. 327–336)
[Seacord 2005a] Chapter 2, "Strings"
[xorl 2009] FreeBSD-SA-09:11: NTPd Remote Stack Based Buffer Overflows

...