Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

There are two basic approaches for managing strings in C programs: the first is to maintain strings in statically allocated arrays; the second is to dynamically allocate memory as required. Each approach has advantages and disadvantages. However, it generally makes sense to select a single approach to managing strings and apply it consistently across a project. Otherwise, the decision is left to individual programmers who are likely to make different, inconsistent choices.

Statically allocated strings assume a fixed-size character array, meaning that it is impossible to add data after the buffer is filled. Because the static approach discards excess data, actual program data can be lost. Consequently, the resulting string must be fully validated.

Dynamically allocated buffers dynamically resize as additional memory is required. Dynamic approaches scale better and do not discard excess data. The major disadvantage is that, if inputs are not limited, they can exhaust memory on a machine and consequently be used in denial-of-service attacks.

Dynamic allocation is often disallowed in safety-critical systems. For example, the MISRA standard requires that "dynamic heap memory allocation shall not be used" [MISRA 2004]. Some safety-critical systems can take advantage of dynamic memory allocation during initialization but not during operations. For example, avionics software may dynamically allocate memory while initializing the aircraft but not during flight.

A number of existing libraries are available for managing string data; the library selected depends on the approach adopted for managing null-terminated byte strings. The functions defined by the C Standard, subclause 7.24, are primarily intended for managing statically allocated strings. However, these functions are problematic because many of them are insufficiently bounded. Consequently, this standard recommends using the C11 Annex K functions with statically allocated arrays. (See STR07-C. Use the bounds-checking interfaces for string manipulation.) These functions provide bounds-checking interfaces to protect against buffer overflows and other runtime constraint violations.

ISO/IEC TR 24731 Part II offers another approach, supplying functions that allocate enough memory for their results [ISO/IEC TR 24731-2]. It provides an API that dynamically allocates the results of string functions as needed. Almost all of the APIs in this technical report are also in a current international standard. For example, TR 24731 Part II includes POSIX functions, such as strdup() [ISO/IEC 9945:2003], as well as functions from the Linux Standard Base Core Specification such as asprintf() [ISO/IEC 23360-1:2006].

Risk Assessment

Failing to adopt a consistent plan for managing strings within an application can lead to inconsistent decisions, which may make it difficult to ensure system properties, such as adhering to safety requirements.

Recommendation

This managed string library was developed in response to the need for a string library that could improve the quality and security of newly developed C language programs while eliminating obstacles to widespread adoption and possible standardization.

The managed string library is based on a dynamic approach in that memory is allocated and reallocated as required. This approach eliminates the possibility of unbounded copies, null-termination errors, and truncation by ensuring there is always adequate space available for the resulting string (including the terminating null character).

A runtime-constraint violation occurs when memory cannot be allocated. In this way, the managed string library accomplishes the goal of succeeding or failing loudly.

The managed string library also provides a mechanism for dealing with data sanitization by (optionally) checking that all characters in a string belong to a predefined set of "safe" characters.

Compliant Solution

This compliant solution illustrates how the managed string library can be used to create a managed string and retrieve a null-terminated byte string from the managed string.

Code Block

errno_t retValue;
char *cstr;  /* pointer to null-terminated byte string */
string_m str1 = NULL;

if (retValue = strcreate_m(&str1, "hello, world", 0, NULL)) {
  fprintf(stderr, "Error %d from strcreate_m.\n", retValue);
}
else { /* retrieve null-terminated byte string and print */
  if (retValue = getstr_m(&cstr, str1)) {
    fprintf(stderr, "error %d from getstr_m.\n", retValue);
  }
  printf("(%s)\n", cstr);
  free(cstr); /* free null-terminated byte string */
}

Note that the calls to fprintf() and printf() are C99 standard functions and not managed string functions.

Risk Assessment

String handling functions defined in C99 Section 7.21 and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Managed strings, when used properly, can eliminate many of these errors--particularly in new development.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

STR01-A

3 (high)

2 (probable)

1 (high)

P6

L2

C

Low

Unlikely

High

P1

L3

Related Vulnerabilities

Search for Examples of vulnerabilities resulting from the violation of this recommendation can be found rule on the CERT website.

References

Related Guidelines

Bibliography

 

...

Image Added Image Added Image Added Wiki Markup\[[Burch 06|AA. C References#Seacord 06]\] \[[CERT 06|AA. C References#CERT 06]\] \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.21, "String handling <string.h>" \[[Seacord 05a|AA. C References#Seacord 05a]\] Chapter 2, "Strings"