SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 36

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Copying data into a container that is not large enough to hold that data results in a buffer overflow. To prevent such errors, data copied to the destination container must be restricted on the basis of the destination container's size, or , preferably, the destination container must be guaranteed to be large enough to hold the data to be copied.

...

Copies can be made with the std::memcpy() function. However, the std::memmove() and std::memset() functions can also have the same vulnerabilities because they overwrite a block of memory without checking that the block is valid. Such issues are not limited to C standard library functions; standard template library (STL) generic algorithms, such as std::copy()std::fill(), and std::transform(), also assume valid output buffer sizes [ISO/IEC 14882-2014].

...

The proper way to use std::copy() is to ensure the destination container can hold all the elements being copied to it. This compliant solution enlarges the capacity of the vector prior to the copy operation:.

Code Block
bgColor#ccccff
langcpp
#include <algorithm>
#include <vector>
void f(const std::vector<int> &src) {
  // Initialize dest with src.size() default-inserted elements
  std::vector<int> dest(src.size());
  std::copy(src.begin(), src.end(), dest.begin());
  // ...
}

...

The simplest solution is to construct dest from src directly, as in this compliant solution:.

Code Block
bgColor#ccccff
langcpp
#include <vector>

void f(const std::vector<int> &src) {
  std::vector<int> dest(src);
  // ...
}

...

However, this compliant solution is inefficient. The constructor will default-construct 10 elements of type int, which are subsequently replaced by the value 0x42 by the call to std::fill_n(), meaning that each element in the container is initialized twice.

...

Copying data to a buffer that is too small to hold that the data results in a buffer overflow. Attackers can exploit this condition to execute arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

CTR52-CPP

High

Likely

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page
Astrée_V
Astrée_V

invalid_pointer_dereference

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.BO.*
LANG.MEM.BO
LANG.MEM.TBA

A collection of warning classes that report uses of library functions prone to internal buffer overflows.
Buffer Overrun
Tainted Buffer Access

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF3526, DF3527, DF3528, DF3529, DF3530, DF3531, DF3532, DF3533, DF3534


Parasoft C/C++test
9.5BD-PB-OVERF{RD, WR, FMT, NZT} 
Include Page
Parasoft_V
Parasoft_V
CERT_CPP-CTR52-a
Do not pass empty container iterators to std algorithms as destinations
Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C++: CTR52-CPPChecks for library functions overflowing sequence container (rule partially covered).

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding Standard STR50-CPP. Guarantee that storage for strings has sufficient space for character data and the null terminator
SEI CERT C Coding StandardARR38-C. Guarantee that library functions do not form invalid pointers
MITRE CWECWE 119, Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer
CWE 805, Buffer Access with Incorrect Length Value

Bibliography

[ISO/IEC 14882-2014]

Subclause 25.3, "Mutating Sequence Operations"

[ISO/IEC TR 24772-2013]Buffer Overflow in Heap [XYB]
Buffer Overflow in Stack [XYW]
Unchecked Array Indexing [XYZ]
[Meyers
01
2001]Item 30, "Make Sure Destination Ranges Are Big Enough"

...


...

Image Modified Image Modified Image Modified