Incorrect use of strncat
Description
The strncat() function is nearly as dangerous as strcat(), in that it's quite easy to misuse. The first common mistake is supplying the size of the entire buffer instead of the size remaining in the buffer. A more subtle mistake can be made: the size parameter needs to be the amount of space left in the buffer less one; otherwise, the NUL byte is written one byte past the end of the buffer.
Examples
Insecure Code
c
char buffer[10]; strncat(buffer, "hello", 10);Secure Code
c
char buffer[10]; strncat(buffer, "hello", 9);Remediation
Use the correct size parameter for strncat, which should be the amount of space left in the buffer minus one.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0660 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-787 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | buffer overflow, string manipulation |
| OWASP | N/A |
References
- https://cwe.mitre.org/data/definitions/787
- https://g.co/kgs/PCHQjJ
- https://cwe.mitre.org/data/definitions/193