SV.STRBO.BOUND_COPY.UNTERM

Possible Buffer Overflow in Following String Operations

This defect is reported if the bounded copy operation does not overflow the buffer size, but it does not leave space in the buffer for string NULL-terminator. The SV.STRBO.BOUND_COPY.UNTERM checker finds this situation if after string copy operations strncpy, StrnCpy, safe_strcpy, there is no space for NULL-terminator in the buffer.

Vulnerability and risk

If the string is not NULL-terminated, then there is a possible buffer overrun in following unbounded string operations.

Vulnerable code example

1
2
3
4
5
 #include <string.h>
 int main(int argc, char* argv[]){
   char foo[10];
   strncpy(foo, "1234567890", sizeof(foo));
 }

In this example, SV.STRBO.BOUND_COPY.UNTERM is reported in line 4 because there is no space for NULL-terminator in buffer foo.

Fixed code example 1

1
2
3
4
5
 #include <string.h>
 int main(int argc, char* argv[]){
   char foo[12];
   strncpy(foo, "1234567890", sizeof(foo));
 }

This fix allows strncpy place NULL-terminator to buffer after copying string, because sizeof(foo) returns a value greater than the source string length.

Related checkers

• SV.STRBO.BOUND_COPY.OVERFLOW

External guidance

• CERT STR32-C: Do not pass a non-null-terminated character sequence to a library function that expects a string
• CWE-126: Buffer Over-read
• CWE-170: Improper Null Termination
• CWE-193: Off-by-one Error

Security training

Application security training materials provided by Secure Code Warrior.

• Buffer Overflow Training Video - Test your skills with a training example