CXX.SIZEOF.CSTRING

Use of sizeof on char* may be misleading

The sizeof operator returns the size of its operand argument in bytes. In the case of a char pointer, it is the size of the pointer type and not the size of the string that is returned as the name is misleading. To get the length of a char* string, use the appropriate C library function.

Vulnerability and risk

Incorrect calculations of string sizes can lead to many types of security vulnerabilities.

Mitigation and prevention

Avoid using sizeof(char *).

Vulnerable code example

1
2
3
4
5
int str_len (char* text)
{
  int len = sizeof(text);
  return len;
}

The use of sizeof on a char* produces the size of the pointer type and not the size of the string, which is misleading.

External guidance

• CWE-467: Use of sizeof() on a Pointer Type
• CWE-682: Incorrect Calculation
• CWE-805: Buffer Access with Incorrect Length Value
• CWE-131: Incorrect Calculation of Buffer Size

Security training

Application security training materials provided by Secure Code Warrior.

• Buffer Overflow Training Video - Test your skills with a training example