JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
C and C++
Binaries

MISC.MEM.NTERM : No Space For Null Terminator

Summary

A string copying function is used in a way that prevents null termination.

Properties

Class Name No Space For Null Terminator
Significance security
Mnemonic MISC.MEM.NTERM
Categories
AUTOSARC++14 AUTOSARC++14:A27-0-2 A C-style string shall guarantee sufficient space for data and the null terminator.
MisraC++2023 MisraC++2023:0.3.2 A function call shall not violate the function's preconditions
CWE CWE:170 Improper Null Termination
TS17961 TS17961:5.30-nonnullstr Passing a non-null-terminated string to a library function
CERT-C CERT-C:STR03-C Do not inadvertently truncate a string
  CERT-C:STR31-C Guarantee that storage for strings has sufficient space for character data and the null terminator
CERT-CPP CERT-CPP:STR50-CPP Guarantee that storage for strings has sufficient space for character data and the null terminator
DISA-6r1 DISA-6r1:V-222612 The application must not be vulnerable to overflow attacks.
DISA-5r3 DISA-5r3:V-70277 The application must not be vulnerable to overflow attacks.
DISA-4r3 DISA-4r3:V-70277 The application must not be vulnerable to overflow attacks.
DISA-3r10 DISA-3r10:V-6165 The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language.
Availability Available for C and C++.
Enabling Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file. 
WARNING_FILTER += discard class="No Space For Null Terminator"

Example 

#include <string.h>
#include <stdlib.h>

void f(void)
{
    char buf[10];
    const char *val = getenv("foo");
    if( !val )
        return;
    strncpy( buf, val, sizeof(buf) );
}

Triggering Functions

CodeSonar ships with library models that allow it to recognize functions such as libc strncpy() and Win32 wcpncpy() that perform string copying. If one of these functions is called with too long a string in the input parameter position, a warning will be issued.

If you have created a custom library model for some function f() in terms of one of these existing models, calls to f() will also be capable of triggering No Space For Null Terminator warnings.

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.

 

To report problems with this documentation, please visit https://support.codesecure.com/.