...
String-handling functions defined in the C Standard, subclause 7.24, and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Proper use of the C11 Annex K functions can eliminate most of these issues.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
STR07-C | High | Probable | Medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| Supported | |||||||
Axivion Bauhaus Suite |
| CertC-STR07 | |||||||
CodeSonar |
| BADFUNC.BO.OEMTOCHAR | Use of | ||||||
Helix QAC |
| C5008 | |||||||
LDRA tool suite |
| 44 S | Enhanced enforcement | ||||||
Parasoft C/C++test |
|
|
|
CERT_C-STR07-a | Avoid using unsafe string functions that do not check bounds |
Parasoft Insure++ |
Runtime analysis | |||||||||
PC-lint Plus |
| 586 | Fully supported | ||||||
Polyspace Bug Finder |
|
|
| Checks for:
|
Dangerous functions cause possible buffer overflow in destination buffer
Function writes to buffer at offset greater than buffer size
Rec. partially covered. | ||||||||
SonarQube C/C++ Plugin |
| S1081 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
[Seacord 2005b] | "Managed String Library for C, C/C++" |
[Seacord 2013] | Chapter 2, "Strings" |
...
...