View Help Online

Start here

Home
About Klocwork
What's new
Fixed issues
Release notes
Installation

Reference

C/C++ checkers
Java checkers
C# checkers
MISRA C 2004 checkers
MISRA C++ 2008 checkers
MISRA C 2012 checkers
MISRA C 2012 checkers with Amendment 1
Commands
Metrics
Troubleshooting
Reference

Product components

C/C++ Integration build analysis
Java Integration build analysis
Desktop analysis
Refactoring
Klocwork Static Code Analysis
Klocwork Code Review
Structure101
Tuning
Custom checkers

Coding environments

Visual Studio
Eclipse for C/C++
Eclipse for Java
IntelliJ IDEA
Other

Administration

Project configuration
Build configuration
Administration
Analysis performance
Server performance
Security/permissions
Licensing
Klocwork Static Code Analysis Web API
Klocwork Code Review Web API

Community

View help online
Visit RogueWave.com
Klocwork Support
Rogue Wave Videos

Legal

Legal information

NNTS.MUST

Buffer overflow from non null-terminated string

In C and C++, a C string, or a null-terminated string, is a character sequence terminated with a null character (\0). The length of a C string is found by searching for the null character.

The NNTS family of checkers looks for code that uses string manipulation functions with character arrays that are not or may not be null terminated. The NNTS.MUST checker looks for code using string manipulation functions in which a character array is not null terminated.

Vulnerability and risk

The null termination has historically created security problems. For example:

  • a null character inserted into a string can truncate it unexpectedly
  • it's a common bug not to allocate enough space for the null character or to forget the null
  • many programs don't check the length before copying a string to a fixed-size buffer, causing a buffer overflow when it's too long
  • the inability to store a null character means that string and binary data needs to be handled by different functions, which can cause problems if the wrong function is used

Mitigation and prevention

To avoid the problem:

  • add special code to validate null termination of string buffers if performance constraints permit
  • switch to bounded-string manipulation functions like strncpy
  • inspect buffer lengths involved in the buffer overrun traceback

Vulnerable code example

1  #include <stdio.h>
2  
3  int main()
4  {
5      char buf[8];
6      char tgt[1024];
7      const char * src = "abcdef";
8  
9      strncpy(buf, src, 3);
10     strcpy(tgt, buf);
11     return 0;
12 }

Klocwork produces a buffer overflow report for array 'tgt' at line 10: buffer overflow of 'tgt', due to non-null terminated string 'buf'. A similar error is reported for array 'buf' also at line 10. In the example, the array bounds violation is reported twice because there is a reading of 'buf' and writing of 'tgt'. Both read and write occur beyond the buffers' boundaries (equal to or greater than 3), due to the fact that 'buf' was not null terminated (which in turn occurred because of the improper use of strcpy). This code will result in a buffer overflow, which can cause various significant security problems.

Related checkers

External guidance

Extension

This checker can be extended. See Tuning C/C++ analysis for more information.

Parent topic: Buffer overflow
Previous topic: NNTS.MIGHT
Next topic: NNTS.TAINTED

© Rogue Wave Software, Inc. All rights reserved. | Contact