...
If a runtime-constraint error is detected by the call to either strnlen_s()
or strcpy_s()
, the currently registered runtime-constraint handler is invoked. See ERR03-C. Use runtime-constraint handlers when calling the bounds-checking interfaces for more information on using runtime-constraint handlers with C11 Annex K functions.
Exceptions
STR03-C-EX1: The intent of the programmer is to purposely truncate the string.
...
Truncating strings can lead to a loss of data.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
STR03-C | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| MISC.MEM.NTERM | No Space For Null Terminator | ||||||
Compass/ROSE |
Could detect violations in the following manner: all calls to |
GCC |
8. |
1 | -Wstringop-truncation | Detects string truncation by strncat and strncpy . | ||||||
Klocwork |
| NNTS.MIGHT |
NNTS.MUST | ||||||||
LDRA tool suite |
| 115 S, 44 S |
Fully implemented
Partially implemented | |||||||||
Parasoft C/C++test |
| CERT_C-STR03-a | Avoid overflow due to reading a not zero terminated string | ||||||
Polyspace Bug Finder |
| CERT C: Rec. STR03-C | Checks for invalid use of standard library string routine (rec. partially supported) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ Coding Standard | VOID STR03-CPP. Do not inadvertently truncate a null-terminated character array |
ISO/IEC TR 24772:2013 | String Termination [CJM] |
MITRE CWE | CWE-170, Improper null termination CWE-464, Addition of data structure sentinel |
Bibliography
[Seacord 2013] | Chapter 2, "Strings" |
...
...