Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5813

Using "strlen" or "wcslen" is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure use of "strlen" is safe here.
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way, MISRA C++ 2008 recommended
    • Covered Languages:
      C, C++, Objective-C
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • CERT:
      STR07-C.
    • CWE:
      CWE-120

      Description

      In C, a string is just a buffer of characters, usually using the null character as a sentinel for the end of the string. Which mean that the developer has to be aware of low level details such as buffer sizes, having an extra character to store the final null character... Doing that correctly and consistently is notoriously difficult, and any error can lead to a security vulnerability, for instance giving access to sensitive data, or allowing arbitrary code execution.

      The function char *strlen(char * restrict s); measures the length of the string s (excluding the final null character). The wcslen does the same for wide characters, and should be used with the same guidelines.

      Ask Yourself Whether

      • There is a possibility that the pointer is null
      • There is a possibility that the string is not correctly null-terminated

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • C11 provides, in its annex K, the strlen_s and the wcslen_s that were designed as safer alternative to strlen and wcslen. It's not recommended to use them in all circumstances, because they introduce a runtime overhead and require to write more code for error handling, but they perform checks that will limit the consequences of calling the function with bad arguments.
      • Even if your compiler does not exactly support annex K, you probably have access to similar functions
      • If you are writing C++ code, using std::string to manipulate strings is much simpler and less error-prone

      Sensitive Code Example

      int f(char *src) {
        char dest[256];
        strncpy(dest, src, sizeof dest); // Truncation may happen
        return strlen(dest); // Sensitive: "dest" will not be null-terminated if truncation happened
      }
      

      Compliant Solution

      int f(char *src) {
        char dest[256];
        strncpy(dest, src, sizeof dest); // Truncation may happen
        dest[sizeof dest - 1] = 0;
        return strlen(dest); // Compliant: "dest" is guaranteed to be null-terminated
      }
      

      See

      • MITRE, CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
      • CERT, STR07-C. - Use the bounds-checking interfaces for string manipulation

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              freddy.mallet Freddy Mallet (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: