...
The gets_s()
function reads, at most, one less than the number of characters specified from the stream pointed to by stdin
into an array.
The C Standard, Annex K 3.5.4.1 paragraph 4 [ISO/IEC 9899:20112024], states
No additional characters are read after a new-line character (which is discarded) or after end-of-file. The discarded new-line character does not count towards number of characters read. A null character is written immediately after the last character read into the array.
...
In this compliant solution, characters are no longer copied to buf
once index == BUFFERSIZE - 1
, leaving room to null-terminate the string. The loop continues to read characters until the end of the line, the end of the file, or an error is encountered. When chars_read > index
truncated == true
, the input string has been truncated.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> enum { BUFFERSIZE = 32 }; void func(void) { char buf[BUFFERSIZE]; int ch; size_t index = 0; size_t chars_readbool truncated = 0false; while ((ch = getchar()) != '\n' && ch != EOF) { if (index < sizeof(buf) - 1) { buf[index++] = (char)ch; } else { chars_read++ truncated = true; } } buf[index] = '\0'; /* Terminate string */ if (ch == EOF) { /* Handle EOF or error */ } if (chars_read > indextruncated) { /* Handle truncation */ } } |
...
A more general solution is to use the snprintf()
function:, which also truncates name
if it will not fit in the filename
.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> void func(const char *name) { char filename[128]; int result = snprintf(filename, sizeof(filename), "%s.txt", name); } if (result != strlen(filename) { /* truncation occurred */ } } |
Risk Assessment
Copying string data to a buffer that is too small to hold that data results in a buffer overflow. Attackers can exploit this condition to execute arbitrary code with the permissions of the vulnerable process.
...
Tool | Version | Checker | Description | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Astrée |
| Supported Astrée reports all buffer overflows resulting from copying data to a buffer that is not large enough to hold that data. | |||||||||||||||||||
Axivion Bauhaus Suite |
| CertC-STR31 | Detects calls to unsafe string function that may cause buffer overflow | ||||||||||||||||||
CodeSonar |
| LANG.MEM.BO | Buffer overrun | ||||||||||||||||||
Can detect violations of the rule. However, it is unable to handle cases involving | |||||||||||||||||||||
Coverity |
| STRING_OVERFLOW BUFFER_SIZE OVERRUN STRING_SIZE | Fully implemented | ||||||||||||||||||
5.0 | |||||||||||||||||||||
Helix QAC |
| C2840, C2841, C2842, C2843, C2845, C2846, C2847, C2848, C2930, C2931, C2932, C2933, C2935, C2936, C2937, C2938, C5009 C5009, C5038 C++0145, C++28405009, C++2841, C++2842, C++2843, C++2845, C++2846, C++2847, C++2848, C++2930, C++2931, C++2932, C++2933, C++2935, C++2936, C++2937, C++2938, C++5009, C++50385038 DF2840, DF2841, DF2842, DF2843, DF2845, DF2846, DF2847, DF2848, DF2930, DF2931, DF2932, DF2933, DF2935, DF2936, DF2937, DF2938 | |||||||||||||||||||
| SV.FMT_STR.BAD_SCAN_FORMAT | ||||||||||||||||||||
| 489 S, 109 D, 66 X, 70 X, 71 X | Partially implemented | |||||||||||||||||||
Parasoft C/C++test |
| CERT_C-STR31-a | Avoid accessing arrays out of bounds | ||||||||||||||||||
PC-lint Plus |
| 421, 498 | Partially supported | ||||||||||||||||||
Polyspace Bug Finder |
| Checks for:
Rule partially covered. | PRQA QA-C | ||||||||||||||||||
Include Page | PRQA QA-C_v |
Rule partially covered. | PRQA QA-C_v | 5009, 5038, 2840, 2841, 2842, 2843, 2845, 2846, 2847, 2848, 2930, 2931, 2932, 2933, 2935, 2936, 2937, 2938 | Partially implemented | PRQA QA-C++ | Include Page | | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V | 0145, 2840, 2841, 2842, 2843, 2845, 2846, 2847, 2848, 2930, 2931, 2932, 2933, 2935, 2936, 2937, 2938, 5006, 5038|||||||||||
PVS-Studio |
| V518, V645, V727, V755 | |||||||||||||||||||
| |||||||||||||||||||||
TrustInSoft Analyzer |
| mem_access | Exhaustively verified (see one compliant and one non-compliant example). |
...
[Dowd 2006] | Chapter 7, "Program Building Blocks" ("Loop Constructs," pp. 327–336) |
[Drepper 2006] | Section 2.1.1, "Respecting Memory Bounds" |
[ISO/IEC 9899:20112024] | K.3.5.4.1, "The gets_s Function" |
[Lai 2006] | |
[NIST 2006] | SAMATE Reference Dataset Test Case ID 000-000-088 |
[Seacord 2013b] | Chapter 2, "Strings" |
[xorl 2009] | FreeBSD-SA-09:11: NTPd Remote Stack Based Buffer Overflows |
[BC] | New Linux SUDO flaw lets local users gain root privileges |
...