Movatterモバイル変換

[0]ホーム
URL:

CodeQL documentation
CodeQL resources

Potentially unsafe call to strncat

ID: cpp/unsafe-strncatKind: problemSecurity severity: 9.3Severity: warningPrecision: highTags:   - reliability   - correctness   - security   - external/cwe/cwe-788   - external/cwe/cwe-676   - external/cwe/cwe-119   - external/cwe/cwe-251Query suites:   - cpp-code-scanning.qls   - cpp-security-extended.qls   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

The standard library functionstrncat appends a source string to a target string. The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer.

Calls of the formstrncat(dest,src,strlen(dest)) orstrncat(dest,src,sizeof(dest)) set the third argument to the entire size of the destination buffer. Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.

Similarly, calls of the formstrncat(dest,src,sizeof(dest)-strlen(dest)) allow one byte to be written outside thedest buffer.

Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.

Recommendation

Check the highlighted function calls carefully to ensure that no buffer overflow is possible. For a more robust solution, consider updating the function call to include the remaining space in the destination buffer.

Example

strncat(dest,src,strlen(dest));//wrong: should use remaining size of deststrncat(dest,src,sizeof(dest));//wrong: should use remaining size of dest.//Also fails if dest is a pointer and not an array.strncat(dest,source,sizeof(dest)-strlen(dest));// wrong: writes a zero byte past the `dest` buffer.strncat(dest,source,sizeof(dest)-strlen(dest)-1);// correct: reserves space for the zero byte.

References

[8]ページ先頭
©2009-2025 Movatter.jp