SV.STRBO.UNBOUND_COPY

Buffer overflow from unbound string copy

The function strcpy is used to copy a source string to a buffer of memory. The function has a fixed size array as a destination, but strcpy does not impose limits on copied data, so there is potential for buffer overflow.

The SV.STRBO.UNBOUND_COPY checker flags instances of code that calls strcpy.

Vulnerability and risk

The function strcpy does not check the length of the string being copied and can easily result in a buffer overrun. It is preferable, if possible, to use the strncpy function and review the usage of buffers in the application.

Vulnerable code example

1
2
3
4
5
6
7
  int main()
  {
       char FIXEDbuf[12];
       strcpy(FIXEDbuf, "Something rather large");
  
       return 0;
  }

Klocwork produces an issue report at line 4 indicating that function strcpy does not check buffer boundaries and may overrun buffer 'FIXEDbuf' of fixed size 12.

Fixed code example

1
2
3
4
5
6
7
8
9
  int main()
  {
       char FIXEDbuf[23];
       char *POINTERbuf;
       strcpy(FIXEDbuf, "Something rather large");
       strcpy(POINTERbuf, "Something very large as well");
  
       return 0;
  }

In the fixed code example, the size of FIXEDbuf has been increased to 23 to make sure that it has enough room for the strcpy operation. Another option for fixing the code is to use strncpy and check the buffer size.

Related checkers

• SV.STRBO.BOUND_COPY.OVERFLOW
• SV.STRBO.BOUND_COPY.UNTERM
• SV.STRBO.BOUND_SPRINTF
• SV.STRBO.UNBOUND_SPRINTF

External guidance

• CERT ARR00-C: Understand how arrays work
• CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
• STIG-ID: APP3590.1 Application is vulnerable to buffer overflows
• STIG-ID: APP3590.2 Application is vulnerable to buffer overflows

Security training

Application security training materials provided by Secure Code Warrior.

• Buffer Overflow Training Video - Test your skills with a training example