Unterminated String in strncpy or stpncpy
Description
If there is no NUL character byte in the first n bytes of the source string, strncpy() and stpncpy() do not NUL-terminate the destination buffer. If the program does not explicitly terminate the destination buffer, this will almost certainly result in information disclosure, and possibly a buffer overflow condition.
Examples
Insecure Code
c
strncpy(dst, src, 10);Secure Code
c
strncpy(dst, src, 10); dst[10] = '\0';Remediation
Ensure the destination buffer is explicitly NUL-terminated after calling strncpy() or stpncpy().
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0673 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-170 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | buffer overflow, information disclosure |
| OWASP | N/A |
References
- https://g.co/kgs/PCHQjJ
- https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf
- https://cwe.mitre.org/data/definitions/170
- https://cwe.mitre.org/data/definitions/126