SV.UNBOUND_STRING_INPUT.FUNCBuffer overflow from unbounded string copyThe string copy function is used to copy a string of characters to a buffer of memory. The strcpy function has no argument to limit the size of the written data, so a buffer overflow may result. The SV.UNBOUNDED_STRING_INPUT.FUNC checker looks for code calling insecure string copy functions that don't specify a buffer size, like gets(), gettext(), or catgets(). Vulnerability and riskIf the string copy function is called without a size parameter, a buffer overrun error can result. This can lead to application instability or, with a carefully constructed attack, code injection, or other vulnerabilities. Mitigation and preventionTo avoid this vulnerability
Vulnerable code example 1
1 #include <stdio.h>
2
3 int main()
4 {
5 char string [256];
6 printf ("Insert your full address: ");
7 gets (string); /* SV.UNBOUND_STRING_INPUT.FUNC reported here */
8 printf ("Your address is: %s\n",string);
9 return 0;
10 }
Fixed code example 1
1 #include <stdio.h>
2
3 int main()
4 {
5 char string [256];
6 printf ("Insert your full address: ");
7 fgets (string, 256, stdin); /* No checker reported because fgets considers the size of the string array */
8 printf ("Your address is: %s\n",string);
9 return 0;
10 }
Vulnerable code example 2
1 #include <stdio.h>
2
3 int main()
4 {
5 char string [256];
6 printf ("Please Enter Your Full Name:");
7 _gettws (string); /* SV.UNBOUND_STRING_INPUT.FUNC reported here */
8 printf ("Your Full Name Is: %s\n", string);
9 return 0;
10 }
Fixed code example 2
1 #include <stdio.h>
2
3 int main()
4 {
5 char string [256];
6 printf ("Please Enter Your Full Name:");
7 gets_s (string, strlen(string)); /* no SV.UNBOUND_STRING_INPUT.FUNC reported here */
8 printf ("Your Full Name Is: %s\n", string);
9 return 0;
10 }
Related checkersExternal guidance
|