...
The signature is similar to strcpy()
but takes an extra argument of type rsize_t
that specifies the maximum length of the destination buffer. Functions that accept parameters of type rsize_t
diagnose a constraint violation if the values of those parameters are greater than RSIZE_MAX
. Extremely large object sizes are frequently a sign that an object's size was calculated incorrectly. For example, negative numbers appear as very large positive numbers when converted to an unsigned type like size_t
. For those reasons, it is sometimes beneficial to restrict the range of object sizes to detect errors. For machines with large address spaces, the C Standard, Annex K, recommends that RSIZE_MAX
be defined as the smaller of the size of the largest object supported or (SIZE_MAX >> 1)
, even if this limit is smaller than the size of some legitimate, but very large, objects . See (see also INT01-C. Use rsize_t or size_t for all integer values representing the size of an object).
The semantics of strcpy_s()
are similar to the semantics of strcpy()
. When there are no input validation errors, the strcpy_s()
function copies characters from a source string to a destination character array up to and including the terminating null character. The function returns 0 on success.
...
The C Standard Annex K functions are still capable of overflowing a buffer if the maximum length of the destination buffer and number of characters to copy are incorrectly specified. ISO/IEC TR 24731 Part II functions can make it more difficult to keep track of memory that must be freed, leading to memory leaks. As a result, the C Standard Annex K and the ISO/IEC TR 24731 Part II functions are not particularly secure but may be useful in preventive maintenance to reduce the likelihood of vulnerabilities in an existing legacy code base.
Noncompliant Code Example
This noncompliant code overflows its buffer if msg
is too long, and it has undefined behavior if msg
is a null pointer:
Code Block | ||||
---|---|---|---|---|
| ||||
void complain(const char *msg) { static const char prefix[] = "Error: "; static const char suffix[] = "\n"; char buf[BUFSIZ]; strcpy(buf, prefix); strcat(buf, msg); strcat(buf, suffix); fputs(buf, stderr); } |
Compliant Solution (Runtime)
This compliant solution will not overflow its buffer:
Code Block | ||||
---|---|---|---|---|
| ||||
void complain(const char *msg) { errno_t err; static const char prefix[] = "Error: "; static const char suffix[] = "\n"; char buf[BUFSIZ]; err = strcpy_s(buf, sizeof(buf), prefix); if (err != 0) { /* Handle error */ } err = strcat_s(buf, sizeof(buf), msg); if (err != 0) { /* Handle error */ } err = strcat_s(buf, sizeof(buf), suffix); if (err != 0) { /* Handle error */ } fputs(buf, stderr); } |
Compliant Solution (Partial Compile Time)
This compliant solution performs some of the checking at compile time using a static assertion . (See see DCL03-C. Use a static assertion to test the value of a constant expression).)
Code Block | ||||
---|---|---|---|---|
| ||||
void complain(const char *msg) { errno_t err; static const char prefix[] = "Error: "; static const char suffix[] = "\n"; char buf[BUFSIZ]; /* * Ensure that more than one character * is available for msg */ static_assert(sizeof(buf) > sizeof(prefix) + sizeof(suffix), "Buffer for complain() is too small"); strcpy(buf, prefix); err = strcat_s(buf, sizeof(buf), msg); if (err != 0) { /* Handle error */ } err = strcat_s(buf, sizeof(buf), suffix); if (err != 0) { /* Handle error */ } fputs(buf, stderr); } |
Risk Assessment
String-handling functions defined in the C Standard, subclause 7.24, and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Proper use of the C11 Annex K functions can eliminate most of these issues.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
STR07-C | High | Probable | Medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| Supported | |||||||
Axivion Bauhaus Suite |
| CertC-STR07 | |||||||
CodeSonar |
| BADFUNC.BO.OEMTOCHAR | Use of |
use of | |||||||||
Helix QAC |
| C5008 | |||||||
LDRA tool suite |
|
44 S |
Enhanced enforcement | ||
Parasoft C/C++test |
|
|
|
-wc strcat
-wc strncpy
-wc strncat
CERT_C-STR07-a | Avoid using unsafe string functions that do not check bounds | ||||||||
Parasoft Insure++ | Runtime analysis | ||||||||
PC-lint Plus |
| 586 | Fully supported | ||||||
Polyspace Bug Finder |
| Checks for:
Rec. partially covered. | |||||||
SonarQube C/C++ Plugin |
| S1081 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
[Seacord 2005b] | "Managed String Library for C, C/C++" |
[Seacord 2013] | Chapter 2, "Strings" |
...