Note: This page is part of the us-cert.gov archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

memcpy_s() and memmove_s()

Published: September 27, 2005 | Last revised: October 06, 2008 Author(s): Daniel Plakosh Maturity Levels and Audience Indicators: L2  / D/P  L  SDLC Life Cycles: Implementation  Copyright: Copyright © Carnegie Mellon University 2005-2012.

Abstract

Substituting the memcpy_s() and memmove_s() functions for the memcpy() and memmove()  functions can help guard against software vulnerabilities.

Development Context

Copying characters from one memory location to another.

Technology Context

C++, C, UNIX, Win32

Attacks

Attacker executes arbitrary code on machine with permissions of compromised process or changes the behavior of the program.

Risk

The memcpy() and  memmove() functions are a source of buffer overflow vulnerabilities.

Description

The memcpy_s() and memmove_s() functions defined in ISO/IEC TR 24731 are similar to the corresponding less-secure memcpy() and memmove() functions but provide some additional safeguards. The secure versions of these functions add an additional argument that specifies the maximum size of the destination. The memcpy_s() and memmove_s() functions return zero if successful. A nonzero value is returned if either the source or desti­nation pointer is NULL, if the specified number of characters to copy/move is greater than the maximum size of the destination buffer, or the number of charac­ters to copy/move or the maximum size of the destination buffer is greater than RSIZE_MAX.1

References

[ISO/IEC 99]

ISO/IEC. ISO/IEC 9899 Second edition 1999-12-01 Programming languages — C. International Organization for Standardization, 1999.

[ISO/IEC 05]

ISO/IEC. ISO/IEC TR 24731 Extensions to the C library -- Part 1: Bounds-checking interfaces. International Organization for Standardization, 2005.
  • 1. The RSIZE_MAX is used to limit the size of objects passed to functions that have parameters of type rsize_t . Extremely large object sizes are frequently a sign that an object’s size was calculated incorrectly. For example, negative numbers appear as very large positive numbers when converted to an unsigned type like size_t. Also, some implementations do not support objects as large as the maximum value that can be represented by type size_t . As a result, it is sometimes beneficial to restrict the range of object sizes to detect potential vulnerabilities.

Copyright © Carnegie Mellon University 2005-2012.

This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission.  Permission is required for any other use.  Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.

The Build Security In (BSI) portal is sponsored by the U.S. Department of Homeland Security (DHS), National Cyber Security Division. The Software Engineering Institute (SEI) develops and operates BSI. DHS funding supports the publishing of all site content.

NO WARRANTY

THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.