Buffer overflow from non null-terminated string in tainted input
In C and C++, a C string, or a null-terminated string, is a character sequence terminated with a null character (\0). The length of a C string is found by searching for the null character.
The NNTS family of checkers looks for code that uses string manipulation functions with character arrays that are not or may not be null terminated. The NNTS.TAINTED checker looks for buffer overflows due to a non null-terminated string caused by unvalidated, or tainted, input data originating from the user or external devices. This checker flags execution paths through the code in which input data involved in a buffer overflow was not validated.
Vulnerability and risk
The null termination has historically created security problems. For example:
- a null character inserted into a string can truncate it unexpectedly
- it's a common bug not to allocate enough space for the null character or to forget the null
- many programs don't check the length before copying a string to a fixed-size buffer, causing a buffer overflow when it's too long
- the inability to store a null character means that string and binary data needs to be handled by different functions, which can cause problems if the wrong function is used
Mitigation and prevention
To avoid the problem:
- add special code to validate null termination of string buffers if performance constraints permit
- switch to bounded-string manipulation functions like strncpy
- inspect buffer lengths involved in the buffer overrun traceback
Vulnerable code example
read(0, src, sizeof(src));
The function 'read' reads arbitrary data from the external source (file), which may be tainted. The resulting buffer is not guaranteed to be null terminated (static size of buffers does not matter here). When strcpy is invoked, two violations occur: reading past bounds of src, and writing past bounds of dst. In this case, the NNTS.TAINTED checker has found two buffer overflows due to non null-terminated strings caused by unvalidated input data originating from the user or external devices. Klocwork produces a buffer overflow report for array 'dst' at line 8: buffer overflow of 'dst', caused by unvalidated user input due to non null-terminated string 'src'. A similar error is reported for array 'src', also at line 8. This code will result in buffer overflows, which can cause various significant security problems.
- CERT ARR00-C: Understand how arrays work
- CERT ARR30-C: Do not form or use out-of-bounds pointers or array subscripts
- CERT STR02-C: Sanitize data passed to complex subsystems
- CERT STR50-CPP: Guarantee that storage for strings has sufficient space for character data and the null terminator
- CWE-20: Improper Input Validation
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-125: Out-of-bounds Read
- CWE-170: Improper Null Termination
- CWE-787: Out-of-bounds Write
- STIG-ID: APP3510 Input Validation
- STIG-ID: APP3570 Application vulnerable to Command Injection
- STIG-ID: APP3590.1 Application is vulnerable to buffer overflows
Application security training materials provided by Secure Code Warrior.
This checker can be extended. Platform-specific and application-specific information can be added through the Klocwork knowledge base. Configuration is used to describe properties of system functions that perform buffer manipulation. Several platform-specific configurations are provided as part of the standard distribution. See Tuning C/C++ analysis for more information.