Alternative functions that limit the number of bytes copied are often recommended to mitigate buffer overflow vulnerabilities, for example:
strncpy()instead ofstrcpy()strncat()instead ofstrcat()fgets()instead ofgets()snprintf()instead ofsprintf()
These function truncate strings that exceed the specified limits. Additionally, some functions such as strncpy() do not guarantee that the resulting string is null-terminated STR33-C.
Truncation results in a loss of data, and in some cases, leads to software vulnerabilities.
Non-Compliant Code Example
The standard function strncpy() and strncat() copy a specified number n characters from a source string to a destination array. If there is no null character in the first n characters of the source array the result is not be null-terminated and any remaining charactes are truncated
char *string_data; char a[16]; ... strncpy(a, string_data, sizeof(a));
Compliant Solution
Truncation resulting from a string copy operation should be treated as an error condition.
#define A_SIZE 16
char *string_data;
char a[A_SIZE];
...
if (string_data) {
if (strlen(string_data) < A_SIZE) {
strcpy(a, string_data);
}
else {
/* handle string too large condition */
}
}
else {
/* handle null string condition */
}
Compliant Solution 2
Example using strcpy()
Compliant Solution 3
Example using strncpy_s()
Exception
An exception to this rule applies if the intent of the programmer was to intentionally truncate the null-terminated byte string. To be compliant with this standard, this intent must be made clear statement in comments.
Priority: P2 Level: L1
Truncating strings can lead to a loss of data and exploitable vulnerabilities in some cases.
Component |
Value |
|---|---|
Severity |
1 (medium) |
Likelihood |
1 (probable) |
Remediation cost |
2 (medium) |
References
- ISO/IEC 9899-1999 Section 7.21 String handling <string.h>
- Seacord 05a Chapter 2 Strings
- ISO/IEC TR 24731-2006