Miscalculated Null Termination

From Guidance Share

Jump to: navigation, search



Miscalculated null termination occurs when the placement of a null character at the end of a buffer of characters (or string) is misplaced or omitted.

Applies To

  • Languages: C, C++
  • Operating Platforms: All


While the following example is not exploitable, it provides a good example of how nulls can be omitted or misplaced, even when functions, such as strncpy, are used that include limits to the length of a string copy:

#include <stdio.h>
#include <string.h>
int main() { 
char longString[] = "Cellular bananular phone"; 
char shortString[16]; 
strncpy(shortString, longString, 16); 
printf("The last character in shortString is: %c %1$x\n", 
return (0);

The above code gives the following output: The last character in shortString is: l 6c So, the shortString array does not end in a NULL character, even though the length limited string function strncpy() was used.


  • Confidentiality: Information disclosure may occur if strings with misplaced or omitted null characters are printed.
  • Availability: A randomly placed null character may put the system into an undefined state, and therefore make it prone to crashing.
  • Integrity: A misplaced null character may corrupt other data in memory
  • Access Control: Should the null character corrupt the process flow, or effect a flag controlling access, it may lead to logical errors which allow for the execution of arbitrary code.


  • Failure to properly null terminate a string
  • Failure to account for system functions which do not properly null terminate a string


  • Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
  • Implementation: Ensure that all string functions used are understood fully as to how they append null characters. Also, be wary of off-by-one errors when appending nulls to the end of strings.

Vulnerability Patterns

How Tos

Personal tools