Checkers:SV.UNBOUND STRING INPUT.CIN

From current

Buffer overflow from unbounded string input

The string copy function is used to copy a string of characters to a buffer of memory. The strcpy function has no argument to limit the size of the written data, so a buffer overflow may result.

The SV.UNBOUND_STRING_INPUT.CIN checker looks for code calling string copy functions that don't specify a buffer size—either getwd() or a function that uses C++ input.

Vulnerability and risk

If the string copy function is called without a size parameter, a buffer overrun error can result. This can lead to application instability or, with a carefully constructed attack, code injection, or other vulnerabilities.

For information on vulnerability and risk in buffer overflows, see Understanding buffer overflows.

Mitigation and prevention

To avoid this vulnerability, make sure you use functions that have buffer size as an input parameter, or use a function like strlen() to determine the buffer size you need.

Related checkers

• SV.UNBOUND_STRING_INPUT.FUNC

External guidance

• CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
• CWE-242: Use of Inherently Dangerous Function
• STR31-C:Guarantee that storage for strings has sufficient space for character data and the null terminator
• STR35-C:Do not copy data from an unbounded source to a fixed-length array