...
The signature is similar to strcpy() but takes an extra argument of type rsize_t that specifies the maximum length of the destination buffer. Functions that accept parameters of type rsize_t diagnose a constraint violation if the values of those parameters are greater than RSIZE_MAX. Extremely large object sizes are frequently a sign that an object's size was calculated incorrectly. For example, negative numbers appear as very large positive numbers when converted to an unsigned type like size_t. For those reasons, it is sometimes beneficial to restrict the range of object sizes to detect errors. For machines with large address spaces, the C Standard, Annex K, recommends that RSIZE_MAX be defined as the smaller of the size of the largest object supported or (SIZE_MAX >> 1), even if this limit is smaller than the size of some legitimate, but very large, objects . See (see also INT01-C. Use rsize_t or size_t for all integer values representing the size of an object).
The semantics of strcpy_s() are similar to the semantics of strcpy(). When there are no input validation errors, the strcpy_s() function copies characters from a source string to a destination character array up to and including the terminating null character. The function returns 0 on success.
...
This compliant solution performs some of the checking at compile time using a static assertion . (See see DCL03-C. Use a static assertion to test the value of a constant expression).)
| Code Block | ||||
|---|---|---|---|---|
| ||||
void complain(const char *msg) {
errno_t err;
static const char prefix[] = "Error: ";
static const char suffix[] = "\n";
char buf[BUFSIZ];
/*
* Ensure that more than one character
* is available for msg
*/
static_assert(sizeof(buf) > sizeof(prefix) + sizeof(suffix),
"Buffer for complain() is too small");
strcpy(buf, prefix);
err = strcat_s(buf, sizeof(buf), msg);
if (err != 0) {
/* Handle error */
}
err = strcat_s(buf, sizeof(buf), suffix);
if (err != 0) {
/* Handle error */
}
fputs(buf, stderr);
}
|
...
String-handling functions defined in the C Standard, subclause 7.24, and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Proper use of the C11 Annex K functions can eliminate most of these issues.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
STR07-C | High | Probable | Medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported | |||||||
| Axivion Bauhaus Suite |
| CertC-STR07 | |||||||
| CodeSonar |
| BADFUNC.BO.OEMTOCHAR | Use of |
use of | |||||||||
| Helix QAC |
| C5008 | |||||||
| LDRA tool suite |
|
44 S |
-wc strcat
-wc strncpy
-wc strncat
Enhanced enforcement | |||||||||
| Parasoft C/C++test |
| CERT_C-STR07-a | Avoid using unsafe string functions that do not check bounds | ||||||
| Parasoft Insure++ | Runtime analysis | ||||||||
| PC-lint Plus |
| 586 | Fully supported | ||||||
| Polyspace Bug Finder |
| Checks for:
Rec. partially covered. | |||||||
| SonarQube C/C++ Plugin |
| S1081 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| [Seacord 2005b] | "Managed String Library for C, C/C++" |
| [Seacord 2013] | Chapter 2, "Strings" |
...