Wide characters can frequently contain null bytes if taken from the ASCII character set. As a result, using narrow-char character functions which that rely on null-byte termination can lead to obtuse behavior. Likewise, a narrow-char string which character string that is properly null-terminated might not be considered so in a wide-char character function. Improper use of narrow and wide character strings could result in buffer overflows.
Noncompliant Code Example (Using strncpy
...
instead of wcsncpy)
The below example This example uses strncpy, which will copycopies, at most, 10 bytes but will stop copying after it encounters a null-byte. Because wide - characters can contain null-bytes, the code can stop copying prematurely. It is important to recognize that many narrow-string functions are byte functions and , thus, can so can terminate prematurely.
| Code Block | ||||
|---|---|---|---|---|
| ||||
wchar_t wide_str1[] = L"0123456789";
wchar_t wide_str2[] = L"0000000000";
strncpy(wide_str2, wide_str1, 10);
|
Noncompliant Code Example (Using wcsncpy
...
instead of strncpy)
The below example uses wcsncpy, which will copy 10 wide-length characters. In most implementations, wide - characters span multiple narrow - characters. The wcsncpy function will copy copies, at most, 10 wide - characters, which is longer than narrow_str1. As a result, it will write the first 10 bytes of narrow_str1 into narrow_str2 and then continue padding with L'\0' null wide - characters until 10 wide - characters have been written.
It should be noted that Note that wcsncpy does not perform null-termination if the source string contains more wide - characters than the destination. As a result, it is possible for an attacker to exploit such a vulnerability by passing a maliciously crafted string to wcsncpy. If the code is intended to copy a certain number of bytes, it can overflow the buffer by writing multiple bytes as bytes because wcsncpy measures copying by wide - characters, not by bytes.
| Code Block | ||||
|---|---|---|---|---|
| ||||
char narrow_str1[] = "0123456789";
char narrow_str2[] = "0000000000";
wcsncpy(narrow_str2, narrow_str1, 10);
|
Implementation Details
C99 recognizes The C standard recognizes wchar_t[] and char[] as distinct types. As a result, many compilers will yield a warning if the inappropriate function is used. For example, the following warnings were generated when the second non-compliant noncompliant example was compiled with no flags in GCC on a Linux i686 platform:
| Code Block |
|---|
warning: passing arg 1 of `wcsncpy' from incompatible pointer type
warning: passing arg 2 of `wcsncpy' from incompatible pointer type
|
Similar warnings were issued by the compiler for the first non-compliant noncompliant example, with respect to the arguments of the strncpy function instead.
Since these are just warnings, the compiled code can still be run. When run on the i686 Linux platform mentioned above, both noncompliant code examples began copying information from out of the bounds of the arguments. This behavior is indicative behavior indicates a possible buffer overflow vulnerability.
Compliant Solution
The below example uses This compliant solution uses the appropriate-width function versions. Using wcsncpy for wide-char character strings and strncpy for narrow-char character strings will ensure ensures that data is not truncated or overwriting extra memory.
| Code Block | ||||
|---|---|---|---|---|
| ||||
wchar_t wide_str1[] = L"0123456789";
wchar_t wide_str2[] = L"0000000000";
wcsncpy(wide_str2, wide_str1, 10); /* Use of proper-width function */
char narrow_str1[] = "0123456789";
char narrow_str2[] = "0000000000";
strncpy(narrow_str2, narrow_str1, 10); /* Use of proper-width function */
|
...
Modern compilers recognize the difference between a char* and a wchar_t* pointer. As a result, compiling code that violates this rule will generate warnings. It is feasible to have automated software that recognizes improper-width functions and of improper width and replaces them with their functions of proper width functions (that is, using software that uses wcsncpy when it recognizes that the parameters are of type wchar_t*).
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC 9899:19992011 Section 7.2124.2.4, "The strncpy function"ISO/IEC 9899:1999 ," and Section 7.2429.4.2.2, "The wcsncpy function"
...