...
If a runtime-constraint error is detected by the call to either strnlen_s() or strcpy_s(), the currently registered runtime-constraint handler is invoked. See ERR03-C. Use runtime-constraint handlers when calling the bounds-checking interfaces for more information on using runtime-constraint handlers with C11 Annex K functions.
Exceptions
STR03-C-EX1: The intent of the programmer is to purposely truncate the string.
...
Truncating strings can lead to a loss of data.
Recommendation | Severity | Likelihood |
|---|
Detectable | Repairable | Priority | Level |
|---|---|---|---|
STR03-C | Medium | Probable |
No | No |
P4 |
L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| MISC.MEM.NTERM | No Space For Null Terminator | ||||||
| Compass/ROSE |
Could detect violations in the following manner: all calls to |
| GCC |
| 8. |
| 1 | -Wstringop-truncation | Detects string truncation by strncat and strncpy. | ||||||
| Klocwork |
| NNTS.MIGHT |
NNTS.MUST | ||||||||
| LDRA tool suite |
| 115 S, 44 S |
Fully implemented
Partially implemented | |||||||||
| Parasoft C/C++test |
| CERT_C-STR03-a | Avoid overflow due to reading a not zero terminated string | ||||||
| Polyspace Bug Finder |
| CERT C: Rec. STR03-C | Checks for invalid use of standard library string routine (rec. partially supported) |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | VOID STR03-CPP. Do not inadvertently truncate a null-terminated character array |
| ISO/IEC TR 24772:2013 | String Termination [CJM] |
| MITRE CWE | CWE-170, Improper null termination CWE-464, Addition of data structure sentinel |
Bibliography
| [Seacord 2013] | Chapter 2, "Strings" |
...
...