SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 149

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 150

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Copying data to a buffer that is not large enough to hold that data results in a buffer overflow. Buffer overflows are not limited to null-terminated byte strings (NTBS), but they often occur when manipulating NTBS dataoccur frequently when manipulating strings. To prevent such errors, either limit copies through truncation or, preferably, ensure that the destination is of sufficient size to hold the character data to be copied and the null-termination character. (See STR03-C. Do not inadvertently truncate a null-terminated byte string.)

Because strings are represented as arrays of characters, this rule is an instance of both ARR30-C. Do not form or use out of bounds pointers or array subscripts and ARR38-C. Guarantee that library functions do not form invalid pointers.

...

getline() works only with buffers allocated with malloc(). If passed NULL pointera null pointergetline() allocates a buffer of sufficient size to hold the input. As such, the user must explicitly free() the buffer later. Do not pass NULL to pass a null pointer to getline() because this is a violation of MEM00-C. Allocate and free memory in the same module, at the same level of abstraction.

...

Command-line arguments are passed to main() as pointers to null-terminated byte strings in the array members argv[0] through argv[argc - 1]. If the value of argc is greater than 0, the string pointed to by argv[0] is, by convention, the program name. If the value of argc is greater than 1, the strings referenced by argv[1] through argv[argc - 1] are the program arguments.

...

Remember to add a byte to accommodate the null-terminated byte stringtermination character.

Compliant Solution (Annex K, argv)

...

Environmental variables are loaded into process memory when the program is loaded. As a result, the length of these null-terminated byte strings can be determined by calling the strlen() function, and the resulting length can be used to allocate adequate dynamic memory:

...

The buffer overflow can be prevented by providing a precision length to the %s specifier. The value 123 ensures that filename can contain the first 123 characters of name, the .txt extension, and the null terminator.

...

CERT C Secure Coding Standard

STR03-C. Do not inadvertently truncate a null-terminated byte string
STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code
MSC24-C. Do not use deprecated or obsolescent functions

MEM00-C. Allocate and free memory in the same module, at the same level of abstraction
FIO34-C. Use int to capture the return value of character IO functions
FIO35-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char)

CERT C++ Secure Coding StandardSTR31-CPP. Guarantee that storage for character arrays has sufficient space for character data and the null terminator
ISO/IEC TR 24772:2013String Termination [CJM]
Buffer Boundary Violation (Buffer Overflow) [HCB]
Unchecked Array Copying [XYW]
ISO/IEC TS 17961

Using a tainted value to write to an object using a formatted input or output function [taintformatio]
Tainted strings are passed to a string copying function [taintstrcpy]

MITRE CWECWE-119, Failure to constrain operations within the bounds of an allocated memory buffer
CWE-120, Buffer copy without checking size of input ("classic buffer overflow")
CWE-193, Off-by-one error

...