Page History

Alternative functions that limit the number of bytes copied are often recommended to mitigate buffer overflow vulnerabilities, for example:. Examples include

• strncpy() instead of strcpy()
• strncat() instead of strcat()
• fgets() instead of gets()
• snprintf() instead of sprintf()

These function truncate strings that exceed the specified limits. Additionally, some functions such as {{strncpy()}} do not guarantee that the resulting string is null-terminated \[[STR33-C|STR33-C. Guarantee that all strings are null-terminated]\].
Truncation results in a loss of data, and in some cases, leads to software vulnerabilities.

Non-Compliant Code Example

These functions truncate strings that exceed the specified limits. Additionally, some functions, such as strncpy(), do not guarantee that the resulting character sequence is null-terminated. (See STR32-C. Do not pass a non-null-terminated character sequence to a library function that expects a string.)

Unintentional truncation results in a loss of data and in some cases leads to software vulnerabilities.

Noncompliant Code Example

The standard functions The standard function strncpy() and strncat() copy a specified number of characters n characters from a source string to a destination array. If In the case of strncpy(), if there is no null character in the first n characters of the source array, the result is will not be null-terminated and any remaining charactes characters are truncated.

char *string_data;
char a[16];
/* ... */
strncpy(a, string_data, sizeof(a));

Compliant Solution

...

Truncation resulting from a string copy operation should be treated as an error condition.

(Adequate Space)

Either the strcpy() or strncpy() function can be used to copy a string and a null character to a destination buffer, provided there is enough space. The programmer must be careful to ensure that the destination buffer is large enough to hold the string to be copied and the null byte to prevent errors, such as data truncation and buffer overflow.

#define A_SIZE 16
char *string_data = NULL;
char a[A_SIZE16];

/* ...
if (string_data) {
  if (strlen */

if (string_data) < sizeof(a)) {
    strcpy(a, string_data);
  }
  else== NULL) {
    /* handleHandle stringnull toopointer large conditionerror */
  }
}
else {
  /* handle null string condition */
}

Compliant Solution 2

The {{strcpy_s()}} function provides additional safeguards including accepting the size of the destination buffer as an additional argument \[[STR00-A|STR00-A. Use TR 24731 for remediation of existing string manipulation code]\].

#define A_SIZE 16
char *string_data;
char a[A_SIZE];
...
if (string_data) {
  if (strlen(string_data) < sizeof(a)) {
    strcpy(a, >= sizeof(a), string_data);
  }
  else {
    /* Handle handleoverlong string too large conditionerror */
  }
}
else {
  /* handle null string condition */
}

Exception

An exception to this rule applies if the intent of the programmer was to intentionally truncate the null-terminated byte string. To be compliant with this standard, this intent must be made clear statement in comments.

...

strcpy(a, string_data);
}

This solution requires that string_data is null-terminated; that is, a null byte can be found within the bounds of the referenced character array. Otherwise, strlen() will stray into other objects before finding a null byte.

Exceptions

STR03-C-EX1: The intent of the programmer is to purposely truncate the string.

Risk Assessment

Truncating strings can lead to a loss of data and exploitable vulnerabilities in some cases.

References

...

.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

...

Image Added Image Added Image Added

...