Checkers:NNTS.TAINTED
From current
Buffer overflow from non null-terminated string in tainted input
In C and C++, a C string, or a null-terminated string, is a character sequence terminated with a null character (\0). The length of a C string is found by searching for the null character.
The NNTS family of checkers looks for code that uses string manipulation functions with character arrays that are not or may not be null terminated. The NNTS.TAINTED checker looks for buffer overflows due to a non null-terminated string caused by unvalidated, or tainted, input data originating from the user or external devices. This checker flags execution paths through the code in which input data involved in a buffer overflow was not validated.
Vulnerability and risk
The null termination has historically created security problems. For example:
- a null character inserted into a string can truncate it unexpectedly
- it's a common bug not to allocate enough space for the null character or to forget the null
- many programs don't check the length before copying a string to a fixed-size buffer, causing a buffer overflow when it's too long
- the inability to store a null character means that string and binary data needs to be handled by different functions, which can cause problems if the wrong function is used
For more information on vulnerability and risk in buffer overflow, see Understanding buffer overflows.
Mitigation and prevention
To avoid the problem:
- add special code to validate null termination of string buffers if performance constraints permit
- switch to bounded-string manipulation functions like strncpy
- inspect buffer lengths involved in the buffer overrun traceback
Code examples
Vulnerable code example
1 void TaintedAccess() 2 { 3 char src[32]; 4 5 char dst[48]; 6 7 read(0, src, sizeof(src)); 8 strcpy(dst, src); 9 }
The function 'read' reads arbitrary data from the external source (file), which may be tainted. The resulting buffer is not guaranteed to be null terminated (static size of buffers does not matter here). When strcpy is invoked, two violations occur: reading past bounds of src, and writing past bounds of dst. In this case, the NNTS.TAINTED checker has found two buffer overflows due to non null-terminated strings caused by unvalidated input data originating from the user or external devices. Klocwork produces a buffer overflow report for array 'dst' at line 8: buffer overflow of 'dst', caused by unvalidated user input due to non null-terminated string 'src'. A similar error is reported for array 'src', also at line 8. This code will result in buffer overflows, which can cause various significant security problems.
Related checkers
External guidance
- CWE-78:Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-88:Argument Injection or Modification
- CWE-120:Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-170: Improper Null Termination
- STR02-C:Sanitize data passed to complex subsystems
- STR35-C:Do not copy data from an unbounded source to a fixed length array
- STIG-ID:APP3510 Input Validation
- STIG-ID:APP3570 Application vulnerable to Command Injection
- STIG-ID:APP3590.1 Application is vulnerable to buffer overflows
- 2010 CWE/SANS Top 25 Most Dangerous Programming Errors
Extension
This checker can be extended. Platform-specific and application-specific information can be added through the Klocwork knowledge base. Configuration is used to describe properties of system functions that perform buffer manipulation. Several platform-specific configurations are provided as part of the standard distribution. See Tuning C/C++ analysis for more information.