Upon return, functions should guarantee that any objects object returned by the function, or any modified value referenced by a pointer argument, is a valid object of function return type or argument type. Failure to do so can result in Otherwise, type errors can occur in the program.
A good example is the null-terminated byte string type in C. If a string lacks the terminating null character, the program may be tricked into accessing storage after the string as legitimate data. This may cause a program to process A program may, as a result, process a string that it should not process, which might be a security flaw in itself. It may also cause the program to abort, which might be a denial-of-service attack. Also note that the emphasis is not to produce unterminated strings.
This The emphasis of this recommendation is to avoid producing unterminated strings; it does not address processing of already existing unterminated strings. However, by preventing the creation of unterminated strings, the need to process them is greatly lessened.
Noncompliant Code Example
The standard {{ Wiki Markup strncpy()
}} function does not guarantee that the resulting string is null terminated \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\]. If there is no null character in the first {{n}} characters of the {{source}} array, the result may not be null -terminated. If there is no null character in the first n
characters of the source
array, the result may not be null-terminated.
Code Block | ||||
---|---|---|---|---|
| ||||
char *source; char a[NTBS_SIZE]; /* ... */ if (source) { errno_t errchar* b = strncpy(a, source, 5); // if (err != 0) { /* Handle error */ }b == a } else { /* handleHandle NULLnull string condition */ } |
Compliant Solution (strncpy_s()
, C11 Annex K)
The {{The C11 Annex K Wiki Markup strncpy_s()
}} function copies up to {{n
}} characters from the source array to a destination array \[[TR 24731|AA. Bibliography#ISO/IEC TR 24731-1-2007]\]. If no null character was copied from the source array, then the {{n
{}}}th position in the destination array is set to a null character, guaranteeing that the resulting string is null-terminated.
Code Block | ||||
---|---|---|---|---|
| ||||
char *source; char a[NTBS_SIZE]; /* ... */ if (source) { errno_t err = strncpy_s(a, sizeof(a), source, 5); if (err != 0) { /* Handle error */ } } else { /* handleHandle NULLnull string condition */ } |
Risk Assessment
Failure to do so can to enforce type safety can result in type errors in the program.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
API07-C |
Medium |
Unlikely |
Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| LANG.CAST.VALUE LANG.CAST.COERCE ALLOC.TM | Cast alters value |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard: API07-CPP. Enforce type safety
...
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
ISO/IEC TR 24772 |
...
:2013 | String Termination [CJM] | Prior to 2018-01-12: CERT: Unspecified Relationship |
MITRE CWE | CWE-192 | Prior to 2018-01-12: |
MITRE CWE | CWE-227 | Prior to 2018-01-12: |
MITRE CWE | CWE-590 | Prior to 2018-01-12: |
MITRE CWE | CWE-686 | Prior to 2018-01-12: |
MITRE CWE | CWE-704 | Prior to 2018-01-12: |
MITRE CWE | CWE-761 | Prior to 2018-01-12: |
MITRE CWE | CWE-762 | Prior to 2018-01-12: |
MITRE CWE | CWE-843 | Prior to 2018-01-12: |
...
API09-C. Compatible values should have the same type
ISO/IEC TR 24731-1:2007 Section 6.7.1.4, "The strncpy_s function"
Bibliography
API04-C. Provide a consistent and usable error checking mechanism 13. Application Programming Interfaces (API) API08-C. Protect header prototypes from misinterpretation