Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Upon return, functions should guarantee that any objects object returned by the function, or any modified value referenced by a pointer argument, is a valid object of function return type or argument type. Failure to do so can result in  Otherwise, type errors can occur in the program.

A good example is the null-terminated byte string type in C. If a string lacks the terminating null character, the program may be tricked into accessing storage after the string as legitimate data. This may cause a program to process  A program may, as a result, process a string that it should not process, which might be a security flaw in itself. It may also cause the program to abort, which might be a denial-of-service attack. Also note that the emphasis is not to produce unterminated strings.

This The emphasis of this recommendation is to avoid producing unterminated strings; it does not address processing of already existing unterminated strings. However, by preventing the creation of unterminated strings, the need to process them is greatly lessened.

Noncompliant Code Example

Wiki MarkupThe standard {{strncpy()}} function does not guarantee that the resulting string is null terminated \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\]. If there is no null character in the first {{n}} characters of the {{source}} array, the result may not be null -terminated. If there is no null character in the first n characters of the source array, the result may not be null-terminated.

Code Block
bgColor#FFcccc
langc

char *source;
char a[NTBS_SIZE];
/* ... */
if (source) {
  errno_t errchar* b = strncpy(a, source, 5);
 // if (err != 0) {
    /* Handle error */
  }b == a
}
else {
  /* handleHandle NULLnull string condition */
}

Compliant Solution (strncpy_s(), C11 Annex K)

Wiki MarkupThe {{The C11 Annex K strncpy_s()}} function copies up to {{n}} characters from the source array to a destination array \[[TR 24731|AA. Bibliography#ISO/IEC TR 24731-1-2007]\]. If no null character was copied from the source array, then the {{n{}}}th position in the destination array is set to a null character, guaranteeing that the resulting string is null-terminated.

Code Block
bgColor#ccccff
langc

char *source;
char a[NTBS_SIZE];
/* ... */
if (source) {
  errno_t err = strncpy_s(a, sizeof(a), source, 5);
  if (err != 0) {
    /* Handle error */
  }
}
else {
  /* handleHandle NULLnull string condition */
}

Risk Assessment

Failure to do so can to enforce type safety can result in type errors in the program.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

API07-C

medium

Medium

unlikely

Unlikely

medium

Medium

P4

L3

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
LANG.CAST.VALUE
LANG.CAST.COERCE
ALLOC.TM

Cast alters value
Coercion alters value
Type mismatch

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard: API07-CPP. Enforce type safety

...

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

ISO/IEC TR 24772

...

:2013String Termination [CJM]Prior to 2018-01-12: CERT: Unspecified Relationship
MITRE CWECWE-192Prior to 2018-01-12:
MITRE CWECWE-227Prior to 2018-01-12:
MITRE CWECWE-590Prior to 2018-01-12:
MITRE CWECWE-686Prior to 2018-01-12:
MITRE CWECWE-704Prior to 2018-01-12:
MITRE CWECWE-761Prior to 2018-01-12:
MITRE CWECWE-762Prior to 2018-01-12:
MITRE CWECWE-843Prior to 2018-01-12:


...

Image Added Image Added API09-C. Compatible values should have the same type

ISO/IEC TR 24731-1:2007 Section 6.7.1.4, "The strncpy_s function"

Bibliography

API04-C. Provide a consistent and usable error checking mechanism      13. Application Programming Interfaces (API)      API08-C. Protect header prototypes from misinterpretation