NNTS.TAINTED

Buffer overflow from non null-terminated string in tainted input

In C and C++, a C string, or a null-terminated string, is a character sequence terminated with a null character (\0). The length of a C string is found by searching for the null character.

The NNTS family of checkers looks for code that uses string manipulation functions with character arrays that are not or may not be null terminated. The NNTS.TAINTED checker looks for buffer overflows due to a non null-terminated string caused by unvalidated, or tainted, input data originating from the user or external devices. This checker flags execution paths through the code in which input data involved in a buffer overflow was not validated.

Vulnerability and risk

The null termination has historically created security problems. For example:

  • a null character inserted into a string can truncate it unexpectedly
  • it's a common bug not to allocate enough space for the null character or to forget the null
  • many programs don't check the length before copying a string to a fixed-size buffer, causing a buffer overflow when it's too long
  • the inability to store a null character means that string and binary data needs to be handled by different functions, which can cause problems if the wrong function is used

Mitigation and prevention

To avoid the problem:

  • add special code to validate null termination of string buffers if performance constraints permit
  • switch to bounded-string manipulation functions like strncpy
  • inspect buffer lengths involved in the buffer overrun traceback

Vulnerable code example

Copy
  void TaintedAccess()
  {
      char src[32];
  
      char dst[48];
  
      read(0, src, sizeof(src));
      strcpy(dst, src);
  }

The function 'read' reads arbitrary data from the external source (file), which may be tainted. The resulting buffer is not guaranteed to be null terminated (static size of buffers does not matter here). When strcpy is invoked, two violations occur: reading past bounds of src, and writing past bounds of dst. In this case, the NNTS.TAINTED checker has found two buffer overflows due to non null-terminated strings caused by unvalidated input data originating from the user or external devices. Klocwork produces a buffer overflow report for array 'dst' at line 8: buffer overflow of 'dst', caused by unvalidated user input due to non null-terminated string 'src'. A similar error is reported for array 'src', also at line 8. This code will result in buffer overflows, which can cause various significant security problems.

Security training

Application security training materials provided by Secure Code Warrior.

Extension

This checker can be extended. Platform-specific and application-specific information can be added through the Klocwork knowledge base. Configuration is used to describe properties of system functions that perform buffer manipulation. Several platform-specific configurations are provided as part of the standard distribution. See Tuning C/C++ analysis for more information.