...
Truncating strings can lead to a loss of data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
STR03-C | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| MISC.MEM.NTERM | No Space For Null Terminator | ||||||
Compass/ROSE |
Could detect violations in the following manner: all calls to | ||||||||
GCC | 8.1 | -Wstringop-truncation | Detects string truncation by strncat and strncpy . | |||||
Klocwork |
| NNTS.MIGHT |
LDRA tool suite |
| 115 S, 44 S | Partially implemented | ||||||
Parasoft C/C++test |
| CERT_C-STR03-a | Avoid overflow due to reading a not zero terminated string | ||||||
Polyspace Bug Finder |
|
|
| CERT C: Rec. STR03-C | Checks for invalid use of standard library string routine (rec. partially supported) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ Coding Standard | VOID STR03-CPP. Do not inadvertently truncate a null-terminated character array |
ISO/IEC TR 24772:2013 | String Termination [CJM] |
MITRE CWE | CWE-170, Improper null termination CWE-464, Addition of data structure sentinel |
Bibliography
[Seacord 2013] | Chapter 2, "Strings" |
...
...