The program performs a buffer copy or write operation with no upper limit on the size of the copy, and it appears that certain inputs will cause a buffer overflow to occur in this case. In addition to causing program instability, techniques exist which may allow an attacker to use this vulnerability to execute arbitrary code.
Always control the length of buffer copy and buffer write operations.
strncpy should be used over
sprintf, and in other cases 'n-variant' functions should be preferred.
In this example, the call to
strcpy copies a message of 14 characters (including the terminating null) into a buffer with space for just 10 characters. As such, the last four characters overflow the buffer resulting in undefined behavior.
To fix this issue three changes should be made:
- Control the size of the buffer using a preprocessor define.
- Replace the call to
strncpy, specifying the define as the maximum length to copy. This will prevent the buffer overflow.
- Consider increasing the buffer size, say to 20 characters, so that the message is displayed correctly.
- CERT C Coding Standard: STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator.
- Common Weakness Enumeration: CWE-120.
- Common Weakness Enumeration: CWE-787.
- Common Weakness Enumeration: CWE-805.