TICS Coding Standard Viewer 
TIOBE Software Quality Framework
Print-friendly version
©TIOBE Software www.tiobe.com
 
C++ Coding Standard
Search

Rule:  STR50-CPPChecked automatically with code checker

Synopsis:Guarantee that storage for strings has sufficient space for character data and the null terminator
Language:C++
Severity Level:1
Category:Security


Description:

Copying data to a buffer that is not large enough to hold that data results in a buffer overflow. Buffer overflows occur frequently when manipulating strings [Seacord 2013]. To prevent such errors, either limit copies through truncation or, preferably, ensure that the destination is of sufficient size to hold the data to be copied. C-style strings require a null character to indicate the end of the string, while the C++ std::basic_string template requires no such character.

Noncompliant Code Example

Because the input is unbounded, the following code could lead to a buffer overflow.

#include <iostream>
   
void f() {
   char buf[12];
   std::cin >> buf;
}

Noncompliant Code Example

To solve this problem, it may be tempting to use the std::ios_base::width()  method, but there still is a trap, as shown in this noncompliant code example.

#include <iostream>
   
void f() {
   char bufOne[12];
   char bufTwo[12];
   std::cin.width(12);
   std::cin >> bufOne;
   std::cin >> bufTwo;
}

In this example, the first read will not overflow, but could fill bufOne with a truncated string. Furthermore, the second read still could overflow bufTwo . The C++ Standard, [istream.extractors], paragraphs 79  [ISO/IEC 14882-2014], describes the behavior of  operator>>(basic_istream &, charT *) and, in part, states the following:

operator>>  then stores a null byte ( charT() ) in the next position, which may be the first position if no characters were extracted.  operator>>  then calls  width(0) .

Consequently, it is necessary to call  width()  prior to each  operator>>  call passing a bounded array. However, this does not account for the input being truncated, which may lead to information loss or a possible vulnerability.

Compliant Solution

The best solution for ensuring that data is not truncated and for guarding against buffer overflows is to use  std::string instead of a bounded array, as in this compliant solution.

#include <iostream>
#include <string>
   
void f() {
   std::string input;
   std::string stringOne, stringTwo;
   std::cin >> stringOne >> stringTwo;
}

Noncompliant Code Example

In this noncompliant example, the unformatted input function  std::basic_istream<T>::read() is used to read an unformatted character array of 32 characters from the given file. However, the  read() function does not guarantee that the string will be null terminated, so the subsequent call of the  std::string constructor results in undefined behavior if the character array does not contain a null terminator.

#include <fstream>
#include <string>
   
void f(std::istream &in) {
   char buffer[32];
   try {
     in.read(buffer, sizeof (buffer));
   } catch (std::ios_base::failure &e) {
     // Handle error
   }
   
   std::string str(buffer);
   // ...
}

Compliant Solution

This compliant solution assumes that the input from the file is at most 32 characters. Instead of inserting a null terminator, it constructs the  std::string object based on the number of characters read from the input stream. If the size of the input is uncertain, it is better to use  std::basic_istream<T>::readsome() or a formatted input function, depending on need.

#include <fstream>
#include <string>
 
void f(std::istream &in) {
   char buffer[32];
   try {
     in.read(buffer, sizeof (buffer));
   } catch (std::ios_base::failure &e) {
     // Handle error
   }
   std::string str(buffer, in.gcount());
   // ...
}