SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 51

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 52

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider v2.4 (sch jbop) (X_X)@==(Q_Q)@

...

Code Block
errno_t strcpy_s(
  char * restrict s1,
  rsize_t s1max,
  const char const * restrict s2
);

The signature is similar to strcpy() but takes an extra argument of type rsize_t that specifies the maximum length of the destination buffer. (Functions that accept parameters of type rsize_t diagnose a constraint violation if the values of those parameters are greater than RSIZE_MAX. Extremely large object sizes are frequently a sign that an object's size was calculated incorrectly. For example, negative numbers appear as very large positive numbers when converted to an unsigned type like size_t. For those reasons, it is sometimes beneficial to restrict the range of object sizes to detect errors. For machines with large address spaces, ISO/IEC TR 24731-1 recommends that RSIZE_MAX be defined as the smaller of the size of the largest object supported or (SIZE_MAX >> 1), even if this limit is smaller than the size of some legitimate, but very large, objects. See also INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.)

...

ISO/IEC TR 24731-1 functions are still capable of overflowing a buffer if the maximum length of the destination buffer and number of characters to copy are incorrectly specified. ISO/IEC TR 24731-2 functions may make it more difficult to keep track of memory that must be freed, leading to memory leaks. As a result, the ISO/IEC TR 24731 functions are not especially secure but may be useful in preventive maintenance to reduce the likelihood of vulnerabilities in an existing legacy code base.

...

Noncompliant Code Example

The following non-compliant noncompliant code overflows its buffer if msg is too long, and has undefined behavior if msg is a null pointer.

Code Block
bgColor#FFCCCC
void complain(const char const *msg) {
  static const char const prefix[] = "Error: ";
  static const char const suffix[] = "\n";
  char buf[BUFSIZ];

  strcpy(buf, prefix);
  strcat(buf, msg);
  strcat(buf, suffix);
  fputs(buf, stderr);
}

Compliant Solution (run time)

The following compliant solution will not overflow its buffer.

Code Block
bgColor#ccccff
void complain(const char const *msg) {
  errno_t err;
  static const char const prefix[] = "Error: ";
  static const char const suffix[] = "\n";
  char buf[BUFSIZ];

  err = strcpy_s(buf, sizeof(buf), prefix);
  if (err != 0) {
    /* handle error */
  }

  err = strcat_s(buf, sizeof(buf), msg);
  if (err != 0) {
    /* handle error */
  }

  err = strcat_s(buf, sizeof(buf), suffix);
  if (err != 0) {
    /* handle error */
  }

  fputs(buf, stderr);
}

Compliant Solution (partial compile time)

The following compliant solution performs some of the checking at compile time using a static assertion (see DCL03-C. Use a static assertion to test the value of a constant expression).

Code Block
bgColor#ccccff
void complain(const char const *msg) {
  errno_t err;
  static const char const prefix[] = "Error: ";
  static const char const suffix[] = "\n";
  char buf[BUFSIZ];

  /* Ensure that more than one character
   * is available for msg. */
  static_assert(sizeof(buf) > sizeof(prefix) + sizeof(suffix),
                "Buffer for complain() is too small");
  strcpy(buf, prefix);

  err = strcat_s(buf, sizeof(buf), msg);
  if (err != 0) {
    /* handle error */
  }

  err = strcat_s(buf, sizeof(buf), suffix);
  if (err != 0) {
    /* handle error */
  }
  fputs(buf, stderr);
}

Risk Assessment

String handling functions defined in C99 Section 7.21 and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Proper use of TR 24731 functions can eliminate the majority of these issues.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

STR00-A C

high

probable

medium

P12

L1

Automated Detection

The LDRA tool suite V 7.6.0 is able to can detect violations of this recommendation.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.21, "String handling <string.h>"
\[[ISO/IEC TR 24731-1:2007|AA. C References#ISO/IEC TR 24731-1-2007]\]
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "TRJ Use of Libraries"
\[[Seacord 05a|AA. C References#Seacord 05a]\] Chapter 2, "Strings"
\[[Seacord 05b|AA. C References#Seacord 05b]\]

...

      07. Characters and Strings (STR)       STR08-A. Use managed strings for development of new string manipulation code Image Added