SEC-BUFFER-tainted-copy
Synopsis
User input is copied into a buffer.
Enabled by default
Yes
Severity/Certainty
High/Medium
Full description
An unbounded copying function is used to copy the contents of a buffer that contains user input, into another buffer. If the length of the user input is not checked before it is copied, an attacker could input data longer than the intended destination. This data could overwrite other values stored in memory, causing unexpected (and potentially dangerous) behavior and could lead to arbitrary code execution. The length of user input should be checked before it is used in an unbounded copy function, or such functions should be avoided altogether.
Coding standards
- CWE 120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE 119
Improper Restriction of Operations within the Bounds of a Memory Buffer
Code examples
The following code example fails the check and will give a warning:
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char **argv) {
char passwd[10];
char *input = getenv("PASSWORD");
int accept;
strcpy(passwd, input);
if (accept)
printf("Login Successful\n");
else
printf("Unsuccessful Login\n");
}
The following code example passes the check and will not give a warning about this issue:
#include <string.h>
#include <stdio.h>
int main(int argc, char **argv) {
char passwd[10];
int accept;
if (strlen(argv[1]) < 10)
strcpy(passwd, argv[1]);
if (accept)
printf("Login Successful\n");
else
printf("Unsuccessful Login\n");
}