Alternative functions that limit the number of bytes copied are often recommended to mitigate buffer overflow vulnerabilities, for example:
strncpy()instead ofstrcpy()fgets()instead ofgets()snprintf()instead ofsprintf()
These function truncate strings that exceed the specified limits. Additionally, some functions such as strncpy() do not guarantee that the resulting string is null-terminated .
Truncation results in a loss of data, and in some cases, leads to software vulnerabilities.
Non-Compliant Code Example
These two lines of code assume that gets() will not read more than BUFSIZ characters from stdin. This is an invalid assumption and the resulting operation can result in a buffer overflow.
char buf[BUFSIZ + 1]; gets(buf);
Non-Compliant Code Example
The standard function strncpy() and strncat() do not guarantee that the resulting string is null terminated. If there is no null character in the first n characters of the source array pointed the result is not be null-terminated as in the following example:
char a[16]; strncpy(a, "0123456789abcdef", sizeof(a));
Compliant Solution 1
The correct solution depends on the original intent. If your intent was to truncate a string but ensure that the
result was a null-terminated string the following solution can be used.
char a[16]; strncpy(a, "0123456789abcdef", sizeof(a)-1); a[sizeof(a)] = '\0';
Compliant Solution 2
Example using strcpy()
Compliant Solution 3
Example using strncpy_s()
Exception
An exception to this rule applies if the intent of the programmer was to convert a null-terminated byte string to a character array. To be compliant with this standard, this intent must be made clear statement in comments.
References
- ISO/IEC 9899-1999 7.21.2.4 The strncpy function
- ISO/IEC 9899-1999 7.21.3.2 The strncat function
- SAMATE Reference Dataset Test Case ID 000-000-004