Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Because the input is unbounded, the following code could lead to a buffer overflow:.

Code Block
bgColor#FFcccc
langcpp
#include <iostream>
 
void f() {
  char buf[12];
  std::cin >> buf;
}

...

To solve this problem, it may be tempting to use the std::ios_base::width() method, but there still is a trap, as shown in this noncompliant code example:.

Code Block
bgColor#ffcccc
langcpp
#include <iostream>
 
void f() {
  char bufOne[12];
  char bufTwo[12];
  std::cin.width(12);
  std::cin >> bufOne;
  std::cin >> bufTwo;
}

In this example, the first read will not overflow, but could fill bufOne with a truncated string. Furthermore, the second read still could overflow bufTwo. The C++ Standard, [istream.extractors], paragraphs 7–9  [ISO/IEC 14882-2014], describes the behavior of operator>>(basic_istream &, charT *) and, and states in part [ISO/IEC 14882-2014]in part, states the following:

operator>> then stores a null byte (charT()) in the next position, which may be the first position if no characters were extracted. operator>> then calls width(0).

...

The best solution for ensuring that data is not truncated and for guarding against buffer overflows is to use std::string instead of a bounded array, as in this compliant solution:.

Code Block
bgColor#ccccff
langcpp
#include <iostream>
#include <string>
 
void f() {
  std::string input;
  std::string stringOne, stringTwo;
  std::cin >> stringOne >> stringTwo;
}

...

Code Block
bgColor#ffcccc
langcpp
#include <fstream>
#include <string>
 
void f(std::istream &in) {
  char buffer[32];
  try {
    in.read(buffer, 32sizeof(buffer));
  } catch (std::ios_base::failure &e) {
    // Handle error
  }
 
  std::string str(buffer);
  // ...
}

Compliant Solution

This compliant solution continues to assume assumes that the input from the file is exactly at most 32 characters, and instead . Instead of inserting a null terminator, it constructs the std::string object based on the sizethe number of characters read from the input stream. If the size of the input is uncertain, it is better to use std::basic_istream<T>::readsome() or a formatted input function, depending on need.

Code Block
bgColor#ccccff
langcpp
#include <fstream>
#include <string>

void f(std::istream &in) {
  char buffer[32];
  try {
    in.read(buffer, 32sizeof(buffer));
  } catch (std::ios_base::failure &e) {
    // Handle error
  }
  std::string str(buffer, 32in.gcount());
  // ...
}

Risk Assessment

Copying string data to a buffer that is too small to hold that data results in a buffer overflow. Attackers can exploit this condition to execute arbitrary code with the permissions of the vulnerable process.

Rule

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

STR50-CPP

High

Likely

No

Medium

No

P18

P9

L1

L2

Automated Detection

Tool

Version

Checker

Description

Astrée

Include Page
Astrée_V
Astrée_V

stream-input-char-array
Partially checked + soundly supported
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

MISC.MEM.NTERM
LANG.MEM.BO
LANG.MEM.TO

No space for null terminator
Buffer overrun
Type overrun

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

 C++5216

DF2835, DF2836, DF2839,


Klocwork
Include Page
Klocwork_V
Klocwork_V
NNTS.MIGHT
NNTS.TAINTED
NNTS.MUST
SV.UNBOUND_STRING_INPUT.CIN

LDRA tool suite
Include Page
LDRA_V
LDRA_V

489 S, 66 X, 70 X, 71 X

Partially implemented

Parasoft C/C++test
9.5BD-PB-OVERFWR, SECURITY-12 
Include Page
Parasoft_V
Parasoft_V

CERT_CPP-STR50-b
CERT_CPP-STR50-c
CERT_CPP-STR50-e
CERT_CPP-STR50-f
CERT_CPP-STR50-g

Avoid overflow due to reading a not zero terminated string
Avoid overflow when writing to a buffer
Prevent buffer overflows from tainted data
Avoid buffer write overflow from tainted data
Do not use the 'char' buffer to store input from 'std::cin'

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C++: STR50-CPP

Checks for:

  • Use of dangerous standard function
  • Missing null in string array
  • Buffer overflow from incorrect string format specifier
  • Destination buffer overflow in string manipulation
  • Insufficient destination buffer size

Rule partially covered.

RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
stream-input-char-array
Partially checked
Security Reviewer - Static Reviewer

Include Page
Security Reviewer - Static Reviewer_V
Security Reviewer - Static Reviewer_V

RTOS_33
RTOS_34
shadowVariable
UNSAFE_03
UNSAFE_04
Fully implemented
SonarQube C/C++ Plugin
Include Page
SonarQube C/C++ Plugin_V
SonarQube C/C++ Plugin_V
S3519

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

[ISO/IEC 14882-2014]

Subclause 27.7.2.2.3, "basic_istream::operator>>"
Subclause 27.7.2.3, "Unformatted Input Functions" 

[Seacord 2013]Chapter 2, "Strings"

...


...

Image Modified Image Modified Image Modified