There are two basic approaches for managing NULL-terminated byte strings in C programs. The first is the static approach, where strings are maintained in statically allocated arrays. The second approach is the dynamic approach, where memory is allocated as required. Each approach has advantages and disadvantages. However, it generally makes sense to select a single approach to managing strings and apply it consistently across a project. Otherwise, the decision is left to individual programmers who are likely to make different, inconsistent choices.

Statically allocated strings assumes a fixed size character array, meaning that it is impossible to add data after buffer is filled. Because the static approach discards excess data, actual program data can be lost. Consequently, the resulting string must be fully validated.

Dynamically allocated buffers dynamically resize as additional memory is required. Dynamic approaches scale better and do not discard excess data. The major disadvantage is that if inputs are not limited they can exhaust memory on a machine consequently be used in denial-of-service attacks.

Dynamical allocation is often disallowed in safety critical systems.  For example, the MISRA standard includes Rule 20.4 that requires that "Dynamic heap memory allocation shall not be used" \[[MISRA 04|AA. C References#MISRA 04]\].  Some safety critical systems can take advantage of dynamic memory allocation during initialization, but not during operations.  For example, avionics software may dynamically allocate memory while initializing the aircraft, but not during flight.  

There are a number of existing libraries available for managing string data; the library selected depends on the overall approach adopted for managing NULL-terminated byte strings.  The functions defined by C99 Section 7.21, "String handling <string.h>" \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] are primarily intended for managing statically allocated strings.  However, these functions are problematic because many of the functions fail to account for the size of the destination array.  Consequently, this standard recommends use of the ISO/IEC TR 24731-1 \[[ISO/IEC TR 24731-1-2007|AA. C References#ISO/IEC TR 24731-1-2007]\] functions when using statically allocated arrays (see [STR07-A. Use TR 24731 for remediation of existing string manipulation code]).

ISO/IEC TR 24731 Part II (24731-2, in progress) offer another approach, supplying functions that allocate enough memory for their results \[[ISO/IEC WDTR 24731-2|AA. C References#ISO/IEC WDTR 24731-2]\]. ISO/IEC TR 24731 Part II provides an API that dynamically allocates the results of string functions as needed. This TR includes a number of POSIX functions 

The managed string library described in \[[Burch 06|AA. C References#Burch06]\] was developed in response to the need for a string library that could improve the quality and security of newly developed C language programs while eliminating obstacles to widespread adoption and possible standardization.

The managed string library is based on a dynamic approach in which memory is allocated and reallocated as required. This approach eliminates the possibility of unbounded copies, NULL-termination errors, and truncation by ensuring there is always adequate space available for the resulting string (including the terminating NULL character).

A runtime-constraint violation occurs when memory cannot be allocated. In this way, the managed string library accomplishes the goal of succeeding or failing in a pronounced manner.

The managed string library also provides a mechanism for dealing with data sanitization by (optionally) checking that all characters in a string belong to a predefined set of "safe" characters.

Risk Assessment

String handling functions defined in C99 \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.21 and elsewhere are susceptible to common programming errors that can lead to serious, exploitable [vulnerabilities|BB. Definitions#vulnerability]. Managed strings, when used properly, can eliminate many of these errors, particularly in new development.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

STR01-A

low

unlikely

high

P3

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[Burch 06|AA. C References#Burch06]\]
\[[CERT 06c|AA. C References#CERT 06c]\]
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.21, "String handling <string.h>"
\[[MISRA 04|AA. C References#MISRA 04]\] Rule 20.4 
\[[Seacord 05a|AA. C References#Seacord 05a]\] Chapter 2, "Strings"
\[[ISO/IEC WDTR 24731-2|AA. C References#ISO/IEC WDTR 24731-2]\] [Extensions to the C Library, — Part II: Dynamic Allocation Functions|http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1248.pdf]. August, 2007.

ISO/IEC 9945:2003 (including Technical Corrigendum 1), Information technology — Programming languages, their environments and system software interfaces — Portable Operating System Interface (POSIX®).


STR00-A. Represent characters using an appropriate type      07. Characters and Strings (STR)       STR02-A. Sanitize data passed to complex subsystems