The C Standard, Annex K (normative), defines alternative versions of standard string-handling functions designed to be safer replacements for existing functions. For example, it defines the
strncat_s() functions as replacements for
The Annex K functions were created by Microsoft to help retrofit its existing legacy code base in response to numerous, well-publicized security incidents over the past decade. These functions were subsequently proposed to the international standardization working group for the programming language C (ISO/IEC JTC1/SC22/WG14) for standardization.
strcpy_s() function, for example, has this signature:
The signature is similar to
strcpy() but takes an extra argument of type
rsize_t that specifies the maximum length of the destination buffer. Functions that accept parameters of type
rsize_t diagnose a constraint violation if the values of those parameters are greater than
RSIZE_MAX. Extremely large object sizes are frequently a sign that an object's size was calculated incorrectly. For example, negative numbers appear as very large positive numbers when converted to an unsigned type like
size_t. For those reasons, it is sometimes beneficial to restrict the range of object sizes to detect errors. For machines with large address spaces, the C Standard, Annex K, recommends that
RSIZE_MAX be defined as the smaller of the size of the largest object supported or
(SIZE_MAX >> 1), even if this limit is smaller than the size of some legitimate, but very large, objects (see also INT01-C. Use rsize_t or size_t for all integer values representing the size of an object).
The semantics of
strcpy_s() are similar to the semantics of
strcpy(). When there are no input validation errors, the
strcpy_s() function copies characters from a source string to a destination character array up to and including the terminating null character. The function returns 0 on success.
strcpy_s() function succeeds only when the source string can be fully copied to the destination without overflowing the destination buffer. Specifically, the following checks are made:
- The source and destination pointers are checked to see if they are
- The maximum length of the destination buffer is checked to see if it is equal to 0, greater than
RSIZE_MAX, or less than or equal to the length of the source string.
- Copying is not allowed between objects that overlap.
When a runtime-constraint violation is detected, the destination string is set to the null string (as long as it is not a null pointer, and the maximum length of the destination buffer is greater than 0 and not greater than
RSIZE_MAX), and the function returns a nonzero value. In the following example, the
strcpy_s() function is used to copy
However, the call to copy
dst2 fails because insufficient space is available to copy the entire string, which consists of eight characters, to the destination buffer. As a result,
r2 is assigned a nonzero value and
dst2 is set to the null character.
Users of the C Standard Annex K functions are less likely to introduce a security flaw because the size of the destination buffer and the maximum number of characters to append must be specified. ISO/IEC TR 24731 Part II [ISO/IEC TR 24731-2:2010] offers another approach, supplying functions that allocate enough memory for their results. ISO/IEC TR 24731 Part II functions also ensure null termination of the destination string.
The C Standard Annex K functions are still capable of overflowing a buffer if the maximum length of the destination buffer and number of characters to copy are incorrectly specified. ISO/IEC TR 24731 Part II functions can make it more difficult to keep track of memory that must be freed, leading to memory leaks. As a result, the C Standard Annex K and the ISO/IEC TR 24731 Part II functions are not particularly secure but may be useful in preventive maintenance to reduce the likelihood of vulnerabilities in an existing legacy code base.
Noncompliant Code Example
This noncompliant code overflows its buffer if
msg is too long, and it has undefined behavior if
msg is a null pointer:
Compliant Solution (Runtime)
This compliant solution will not overflow its buffer:
Compliant Solution (Partial Compile Time)
This compliant solution performs some of the checking at compile time using a static assertion (see DCL03-C. Use a static assertion to test the value of a constant expression).
String-handling functions defined in the C Standard, subclause 7.24, and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Proper use of the C11 Annex K functions can eliminate most of these issues.
|Axivion Bauhaus Suite
|LDRA tool suite
Avoid using unsafe string functions that do not check bounds
|Polyspace Bug Finder
Rec. partially covered.
|SonarQube C/C++ Plugin