View Help Online

Start here

Home
About Klocwork
What's new
Fixed issues
Release notes
Installation

Reference

C/C++ checkers
Java checkers
C# checkers
MISRA C 2004 checkers
MISRA C++ 2008 checkers
MISRA C 2012 checkers
MISRA C 2012 checkers with Amendment 1
Commands
Metrics
Troubleshooting
Reference

Product components

C/C++ Integration build analysis
Java Integration build analysis
Desktop analysis
Refactoring
Klocwork Static Code Analysis
Klocwork Code Review
Structure101
Tuning
Custom checkers

Coding environments

Visual Studio
Eclipse for C/C++
Eclipse for Java
IntelliJ IDEA
Other

Administration

Project configuration
Build configuration
Administration
Analysis performance
Server performance
Security/permissions
Licensing
Klocwork Static Code Analysis Web API
Klocwork Code Review Web API

Community

View help online
Visit RogueWave.com
Klocwork Support
Rogue Wave Videos

Legal

Legal information

NNTS.TAINTED

Buffer overflow from non null-terminated string in tainted input

In C and C++, a C string, or a null-terminated string, is a character sequence terminated with a null character (\0). The length of a C string is found by searching for the null character.

The NNTS family of checkers looks for code that uses string manipulation functions with character arrays that are not or may not be null terminated. The NNTS.TAINTED checker looks for buffer overflows due to a non null-terminated string caused by unvalidated, or tainted, input data originating from the user or external devices. This checker flags execution paths through the code in which input data involved in a buffer overflow was not validated.

Vulnerability and risk

The null termination has historically created security problems. For example:

  • a null character inserted into a string can truncate it unexpectedly
  • it's a common bug not to allocate enough space for the null character or to forget the null
  • many programs don't check the length before copying a string to a fixed-size buffer, causing a buffer overflow when it's too long
  • the inability to store a null character means that string and binary data needs to be handled by different functions, which can cause problems if the wrong function is used

Mitigation and prevention

To avoid the problem:

  • add special code to validate null termination of string buffers if performance constraints permit
  • switch to bounded-string manipulation functions like strncpy
  • inspect buffer lengths involved in the buffer overrun traceback

Vulnerable code example

1  void TaintedAccess()
2  {
3      char src[32];
4  
5      char dst[48];
6  
7      read(0, src, sizeof(src));
8      strcpy(dst, src);
9  }

The function 'read' reads arbitrary data from the external source (file), which may be tainted. The resulting buffer is not guaranteed to be null terminated (static size of buffers does not matter here). When strcpy is invoked, two violations occur: reading past bounds of src, and writing past bounds of dst. In this case, the NNTS.TAINTED checker has found two buffer overflows due to non null-terminated strings caused by unvalidated input data originating from the user or external devices. Klocwork produces a buffer overflow report for array 'dst' at line 8: buffer overflow of 'dst', caused by unvalidated user input due to non null-terminated string 'src'. A similar error is reported for array 'src', also at line 8. This code will result in buffer overflows, which can cause various significant security problems.

Related checkers

External guidance

Extension

This checker can be extended. Platform-specific and application-specific information can be added through the Klocwork knowledge base. Configuration is used to describe properties of system functions that perform buffer manipulation. Several platform-specific configurations are provided as part of the standard distribution. See Tuning C/C++ analysis for more information.

Parent topic: Buffer overflow
Previous topic: NNTS.MUST
Next topic: RABV.CHECK

© Rogue Wave Software, Inc. All rights reserved. | Contact