SV.STRBO.BOUND_COPY.UNTERM
Possible Buffer Overflow in Following String Operations
This defect is reported if the bounded copy operation does not overflow the buffer size, but it does not leave space in the buffer for string NULL-terminator. The SV.STRBO.BOUND_COPY.UNTERM checker finds this situation if after string copy operations strncpy, StrnCpy, safe_strcpy, there is no space for NULL-terminator in the buffer.
Vulnerability and risk
If the string is not NULL-terminated, then there is a possible buffer overrun in following unbounded string operations.
Vulnerable code example
#include <string.h>
int main(int argc, char* argv[]){
char foo[10];
strncpy(foo, "1234567890", sizeof(foo));
}
In this example, SV.STRBO.BOUND_COPY.UNTERM is reported in line 4 because there is no space for NULL-terminator in buffer foo.
Fixed code example 1
#include <string.h>
int main(int argc, char* argv[]){
char foo[12];
strncpy(foo, "1234567890", sizeof(foo));
}
This fix allows strncpy place NULL-terminator to buffer after copying string, because sizeof(foo) returns a value greater than the source string length.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.