...
The gets_s() function reads, at most, one less than the number of characters specified from the stream pointed to by stdin into an array.
The C Standard, Annex K 3.5.4.1 paragraph 4 [ISO/IEC 9899:20112024], states
No additional characters are read after a new-line character (which is discarded) or after end-of-file. The discarded new-line character does not count towards number of characters read. A null character is written immediately after the last character read into the array.
...
In this compliant solution, characters are no longer copied to buf once index == BUFFERSIZE - 1, leaving room to null-terminate the string. The loop continues to read characters until the end of the line, the end of the file, or an error is encountered. When chars_read > index truncated == true, the input string has been truncated.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
enum { BUFFERSIZE = 32 };
void func(void) {
char buf[BUFFERSIZE];
int ch;
size_t index = 0;
size_t chars_readbool truncated = 0false;
while ((ch = getchar()) != '\n' && ch != EOF) {
if (index < sizeof(buf) - 1) {
buf[index++] = (char)ch;
} else {
chars_read++ truncated = true;
}
}
buf[index] = '\0'; /* Terminate string */
if (ch == EOF) {
/* Handle EOF or error */
}
if (chars_read > indextruncated) {
/* Handle truncation */
}
}
|
...
Tool | Version | Checker | Description | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported Astrée reports all buffer overflows resulting from copying data to a buffer that is not large enough to hold that data. | |||||||||||||||||||
| Axivion Bauhaus Suite |
| CertC-STR31 | Detects calls to unsafe string function that may cause buffer overflow | ||||||||||||||||||
| CodeSonar |
| LANG.MEM.BO | Buffer overrun | ||||||||||||||||||
Can detect violations of the rule. However, it is unable to handle cases involving | |||||||||||||||||||||
| Coverity |
| STRING_OVERFLOW BUFFER_SIZE OVERRUN STRING_SIZE | Fully implemented | ||||||||||||||||||
5.0 | |||||||||||||||||||||
| Helix QAC |
| C2840, C5009, C5038 C++0145, C++28405009, C++2841, C++2842, C++2843, C++2845, C++2846, C++2847, C++2848, C++2930, C++2931, C++2932, C++2933, C++2935, C++2936, C++2937, C++2938, C++5009, C++50385038 DF2840, DF2841, DF2842, DF2843, DF2845, DF2840, DF2841, DF2842, DF2843, DF2845, DF2846, DF2847, DF2848, DF2930, DF2931, DF2932, DF2933, DF2935, DF2936, DF2937, DF2938 | |||||||||||||||||||
| SV.FMT_STR.BAD_SCAN_FORMAT | ||||||||||||||||||||
| 489 S, 109 D, 66 X, 70 X, 71 X | Partially implemented | |||||||||||||||||||
| Parasoft C/C++test |
| CERT_C-STR31-a | Avoid accessing arrays out of bounds | ||||||||||||||||||
| PC-lint Plus |
| 421, 498 | Partially supported | ||||||||||||||||||
| Polyspace Bug Finder |
| Checks for:
Rule partially covered. | PRQA QA-C | ||||||||||||||||||
| Include Page | PRQA QA-C_v |
Rule partially covered. | PRQA QA-C_v | 5009, 5038, 2840, 2841, 2842, 2843, 2845, 2846, 2847, 2848, 2930, 2931, 2932, 2933, 2935, 2936, 2937, 2938 | Partially implemented | PRQA QA-C++ | | Include Page | | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V | 0145, 2840, 2841, 2842, 2843, 2845, 2846, 2847, 2848, 2930, 2931, 2932, 2933, 2935, 2936, 2937, 2938, 5006, 5038|||||||||||
| PVS-Studio |
| V518, V645, V727, V755 | |||||||||||||||||||
| |||||||||||||||||||||
| TrustInSoft Analyzer |
| mem_access | Exhaustively verified (see one compliant and one non-compliant example). |
...
| [Dowd 2006] | Chapter 7, "Program Building Blocks" ("Loop Constructs," pp. 327–336) |
| [Drepper 2006] | Section 2.1.1, "Respecting Memory Bounds" |
| [ISO/IEC 9899:20112024] | K.3.5.4.1, "The gets_s Function" |
| [Lai 2006] | |
| [NIST 2006] | SAMATE Reference Dataset Test Case ID 000-000-088 |
| [Seacord 2013b] | Chapter 2, "Strings" |
| [xorl 2009] | FreeBSD-SA-09:11: NTPd Remote Stack Based Buffer Overflows |
[BC] | New Linux SUDO flaw lets local users gain root privileges |
...