SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 109

changes.mady.by.user Martin Sebor

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This solution requires that string_data is null-terminated; that is, a null byte can be found within the bounds of the referenced character array. Otherwise, strlen() will stray into other objects before finding a null byte.

Compliant Solution (strcpy_s(), C11 Annex K)

The strcpy_s() function defined in C11 Annex K  [ISO/IEC 9899:2011] provides additional safeguards, including accepting the size of the destination buffer as an additional argument. (See STR07-C. Use the bounds-checking interfaces for string manipulation.) Also, strnlen_s() accepts a maximum-length argument for strings that may not be null-terminated.

Code Block
bgColor#ccccff
langc
char *string_data = NULL;
char a[16];

/* ... */

if (string_data == NULL) {
  /* Handle null pointer error */
}
else if (strnlen_s(string_data, sizeof(a)) >= sizeof(a)) {
  /* Handle overlong string error */
}
else {
  strcpy_s(a, sizeof(a), string_data);
}

If a runtime-constraint error is detected by the call to either strnlen_s() or strcpy_s(), the currently registered runtime-constraint handler is invoked. See ERR03-C. Use runtime-constraint handlers when calling the bounds-checking interfaces for more information on using runtime-constraint handlers with C11 Annex K functions.

Exceptions

STR03-C-EX1: The intent of the programmer is to purposely truncate the string.

...

Recommendation

Severity

Likelihood

Detectable

RepairableRemediation Cost

Priority

Level

STR03-C

Medium

Probable

No

MediumNo

P8P4

L2L3

Automated Detection

BDPB-OVERNZTString format specifier causes buffer argument of standard library functions to overflow

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
MISC.MEM.NTERMNo Space For Null Terminator
Compass/ROSE



Could detect violations in the following manner: all calls to strncpy() and the other functions should be followed by an assignment of a terminating character to null-terminate the string

GCC8.1-Wstringop-truncationDetects string truncation by strncat and strncpy.
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C1619


Klocwork
Include Page
Klocwork_V
Klocwork_V

NNTS.MIGHT
NNTS.MUST


LDRA tool suite
Include Page
LDRA_V
LDRA_V

115 S, 44 S

Partially implemented

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-

STR03-a

Avoid overflow due to reading a not zero terminated string

Polyspace Bug FinderR2016aBuffer overflow from incorrect string format specifier

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. STR03-C

Checks for invalid use of standard library string routine (rec. partially supported)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...