Note: This page is part of the us-cert.gov archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

Strsafe.h

Published: September 27, 2005 | Last revised: May 10, 2013 Author(s): Daniel Plakosh Maturity Levels and Audience Indicators: L2  / D/P  L  SDLC Life Cycles: Implementation  Copyright: Copyright © 2005, 2008 Pearson Education, Inc.

Abstract

Microsoft provides a set of safer string handling functions for the C programming language called Strsafe.h. These functions are intended to replace their built-in C/C++ counterparts, as well as any legacy Microsoft-specific string handing functions.

Development Context

String manipulation

Technology Context

C/C++, Win32

Attacks

Attacker executes arbitrary code on machine with permissions of compromised process or changes the behavior of the program.

Risk

Standard C string manipulation functions are prone to programmer mistakes that can result in buffer overflow vulnerabilities.

Description

Microsoft provides a set of safer string handling functions for the C programming language called Strsafe.h [MSDN 08]. These functions are intended to replace their built-in C/C++ counterparts, as well as any legacy Microsoft-specific string handing functions.

The Strsafe functions support both ANSI and Unicode characters, always return a status code, and require that the programmer always specifies the size of the destination buffer. Separate functions are provided that allow the programmer to specify the size of the destination buffer using either character or byte counts.

The Microsoft Strsafe library functions guarantee that all strings are null terminated (even if they are truncated) and that a write does not occur past the end of the destination buffer. These functions are safe as long as the programmer inputs the actual starting address of the destination buffer and correct length. As a result, care must still be taken when using these functions.

Figure 1 shows an example program that performs a secure string copy on line 6 and a secure string concatenation on line 11.

Figure 1. Microsoft Strsafe example

 1. #include <Strsafe.h>
 2. int main(int argc, char *argv[])
 3. {
 4.   char MyString[128];
 5.   HRESULT Res;
 6.   Res=StringCbCopy(MyString, sizeof(MyString), "Program 1. Name is ");
 7.   if (Res != S_OK) {
 8.     printf("StringCbCopy Failed: %s", MyString)
 9.     exit(-1);
10.   }
11.   Res=StringCbCat(MyString,sizeof(MyString),argv[0]);
12.   if (Res != S_OK) {
13.     printf("StringCbCat Failed: %s", MyString);
14.     exit(-1);
15.   }
16.   printf("%s", MyString);
17.   return 0;
18. }

It is also important to remember that the Strsafe functions, such as StringCchCopy() and StringCchCat(), do not have the same semantics as the Microsoft CRT functions strncpy_s() and strncat_s(). When strncat_s() detects an error it sets the destination string to a null string, while StringCchCat() fills the destination with as much data as possible and then null-terminates the string.

References

[ISO/IEC 99]

ISO/IEC. ISO/IEC 9899 Second edition 1999-12-01 Programming languages — C. International Organization for Standardization, 1999.

[MSDN 08]

Microsoft Corp. Using the Strsafe.h Functions (2008).

 

This material is excerpted from Secure Coding in C and C++, by Robert C. Seacord, copyright © 2006 by Pearson Education, Inc., published as a CERT® book in the SEI Series in Software Engineering. All rights reserved. It is reprinted with permission and may not be further reproduced or distributed without the prior written consent of Pearson Education, Inc.