Copying data into a container that is not large enough to hold that data results in a buffer overflow. To prevent such errors, data copied to the destination container must be restricted on the basis of the destination container's size, or , preferably, the destination container must be guaranteed to be large enough to hold the data to be copied.
...
Copies can be made with the std::memcpy() function. However, the std::memmove() and std::memset() functions can also have the same vulnerabilities because they overwrite a block of memory without checking that the block is valid. Such issues are not limited to C standard library functions; standard template library (STL) generic algorithms, such as std::copy(), std::fill(), and std::transform(), also assume valid output buffer sizes [ISO/IEC 14882-2014].
...
The proper way to use std::copy() is to ensure the destination container can hold all the elements being copied to it. This compliant solution enlarges the capacity of the vector prior to the copy operation:.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <algorithm>
#include <vector>
void f(const std::vector<int> &src) {
// Initialize dest with src.size() default-inserted elements
std::vector<int> dest(src.size());
std::copy(src.begin(), src.end(), dest.begin());
// ...
}
|
...
The simplest solution is to construct dest from src directly, as in this compliant solution:.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <vector>
void f(const std::vector<int> &src) {
std::vector<int> dest(src);
// ...
} |
...
However, this compliant solution is inefficient. The constructor will default-construct 10 elements of type int, which are subsequently replaced by the value 0x42 by the call to std::fill_n(), meaning that each element in the container is initialized twice.
...
Copying data to a buffer that is too small to hold that the data results in a buffer overflow. Attackers can exploit this condition to execute arbitrary code.
Rule | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level | |
|---|---|---|---|
CTR52-CPP | High | Likely | No |
No |
P9 |
L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| invalid_pointer_dereference | |||||||
| CodeSonar |
| BADFUNC.BO.* | A collection of warning classes that report uses of library functions prone to internal buffer overflows. | ||||||
| Helix QAC |
| DF3526, DF3527, DF3528, DF3529, DF3530, DF3531, DF3532, DF3533, DF3534 | |||||||
| Klocwork |
| ITER.END.OUTPARAM.MIGHT ITER.END.OUTPARAM.MUST | |||||||
| Parasoft C/C++test |
| CERT_CPP-CTR52-a | Do not pass empty container iterators to std algorithms as destinations | |||||||
| Polyspace Bug Finder |
| CERT C++: CTR52-CPP | Checks for library functions overflowing sequence container (rule partially covered). | ||||||
| Security Reviewer - Static Reviewer | 6.02 | C01 C04 | Fully implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | STR50-CPP. Guarantee that storage for strings has sufficient space for character data and the null terminator |
| SEI CERT C Coding Standard | ARR38-C. Guarantee that library functions do not form invalid pointers |
| MITRE CWE | CWE 119, Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer CWE 805, Buffer Access with Incorrect Length Value |
Bibliography
| [ISO/IEC 14882-2014] | Subclause 25.3, "Mutating Sequence Operations" |
| [ISO/IEC TR 24772-2013] | Buffer Overflow in Heap [XYB] Buffer Overflow in Stack [XYW] Unchecked Array Indexing [XYZ] |
| [Meyers |
| 2001] | Item 30, "Make Sure Destination Ranges Are Big Enough" |
...
...