...
A number of existing libraries are available for managing string data; the library selected depends on the approach adopted for managing null-terminated byte strings. The functions defined by the C Standard, subclause 7.24, are primarily intended for managing statically allocated strings. However, these functions are problematic because many of them are insufficiently bounded. Consequently, this standard recommends using the C11 Annex K [ISO/IEC 9899:2011] functions with statically allocated arrays. (See STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code.) These functions provide bounds-checking interfaces to protect against buffer overflows and other runtime constraint violations.
...
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
STR01-C | lowLow | unlikelyUnlikely | highHigh | P1 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Secure Coding Standard | VOID STR01-CPP. Adopt and implement a consistent plan for managing strings |
| ISO/IEC TR 24731-2:2010 | |
| MISRA C:2012 | Directive 4.12 (required) |
Bibliography
| [CERT 2006c] | [ISO/IEC 9899:2011] | Annex K||
| [ISO/IEC 9945:2003] | |||
| [ISO/IEC 23360-1:2006] | |||
| [Seacord 2013] | Chapter 2, "Strings" |
...