SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 11

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 12

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wide characters may frequently contain null bytes if taken from the ASCII character set.   As a result, using narrow-char functions which rely on null-byte termination may lead to obtuse behavior.   Likewise, a narrow-char string which is properly null-terminated may not be considered so in a wide-char function.   Improper use of narrow and wide character strings could result in buffer overflows.

Noncompliant Code Example (Using strncpy

...

Instead of wcsncpy)

The below example uses strncpy which will copy at most 10 bytes in this example, but will stop copying after it encounters a null-byte.   Since wide-characters may contain null-bytes, it may stop copying prematurely.   It is important to recognize that many narrow-string functions are byte functions, and, thus, may terminate prematurely.

Code Block
bgColor#ffcccc
wchar_t *wide_str1  = L"0123456789";
wchar_t *wide_str2 =  L"0000000000";

strncpy(wide_str2, wide_str1, 10);

Noncompliant Code Example (Using wcsncpy

...

Instead of strncpy)

The below example uses wcsncpy, which will copy 10 wide-length characters. In most implementations, wide-characters span multiple narrow-characters. The wcsncpy function will copy at most 10 wide-characters, which is longer than narrow_str1. As a result, it will write the first 10 bytes of narrow_str1 into narrow_str2 and then continue padding with L'\0' null wide-characters until 10 wide-characters have been written.

...

Since these are just warnings, the compiled code can still be run.   When run on the i686 Linux platform mentioned above, both noncompliant code examples began copying information from out of the bounds of the arguments.   This behavior is indicative a possible buffer overflow vulnerability.

...

Modern compilers recognize the difference between a char* and a wchar_t* pointer. As a result, compiling code that violates this rule will generate warnings. It is feasible to have automated software that recognizes improper-width functions and replaces them with their proper width functions , (i.e., using wcsncpy when it recognizes that the parameters are of type wchar_t*).

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...