SV.STRBO.BOUND_COPY.UNTERM

Possible Buffer Overflow in Following String Operations

This defect is reported if the bounded copy operation does not overflow the buffer size, but it does not leave space in the buffer for string NULL-terminator. The SV.STRBO.BOUND_COPY.UNTERM checker finds this situation if after string copy operations strncpy, StrnCpy, safe_strcpy, there is no space for NULL-terminator in the buffer.

Vulnerability and risk

If the string is not NULL-terminated, then there is a possible buffer overrun in following unbounded string operations.

Vulnerable code example

1 #include <string.h>
2 int main(int argc, char* argv[]){
3   char foo[10];
4   strncpy(foo, "1234567890", sizeof(foo));
5 }

In this example, SV.STRBO.BOUND_COPY.UNTERM is reported in line 4 because there is no space for NULL-terminator in buffer foo.

Fixed code example 1

1 #include <string.h>
2 int main(int argc, char* argv[]){
3   char foo[12];
4   strncpy(foo, "1234567890", sizeof(foo));
5 }

This fix allows strncpy place NULL-terminator to buffer after copying string, because sizeof(foo) returns a value greater than the source string length.

Related checkers

• SV.STRBO.BOUND_COPY.OVERFLOW

External guidance

• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-170: Improper Null Termination
• CWE-193: Off-by-one Error
• STR32-CPP. Null-terminate character arrays as required