Unsafe use of strlcpy and strlcat return values
Description
The strlcpy() and strlcat() functions return the total length of the string they tried to create, which can be larger than the size of the destination buffer. If used unsafely, e.g. as an index to write to the destination buffer, memory corruption might occur.
Examples
Insecure Code
c
size_t len = strlcpy(dest, src, sizeof(dest));
dest[len] = '\0';Secure Code
c
size_t len = strlcpy(dest, src, sizeof(dest));
if (len < sizeof(dest)) {
dest[len] = '\0';
}Remediation
Check the return value of strlcpy() and strlcat() to ensure it does not exceed the size of the destination buffer before using it as an index.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0476 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-119 |
| Confidence | MEDIUM |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | memory corruption, buffer overflow |
| OWASP | N/A |