Insecure use of strcat family functions
Description
The `strcat` family of functions are unable to limit how many bytes are copied to the destination buffer. It is recommended to use more secure alternatives such as `snprintf`. If developing for C Runtime Library (CRT), more secure versions of these functions should be used.
Examples
Insecure Code
c
char buffer[10]; strcat(buffer, "hello");Secure Code
c
char buffer[10]; snprintf(buffer, sizeof(buffer), "%s", "hello");Remediation
Replace strcat family functions with secure alternatives like snprintf or use secure versions of these functions from the C Runtime Library (CRT).
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0569 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-120 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | buffer overflow, insecure function |
| OWASP | A1:2017-Injection, A03:2021-Injection |