Warning C6059
Incorrect length parameter in call to 'function'. Pass the number of remaining characters, not the buffer size of 'variable'.
Remarks
This warning indicates that a call to a string concatenation function is probably passing an incorrect value for the number of characters to concatenate. This defect might cause an exploitable buffer overrun or crash. A common cause of this defect is passing the buffer size (instead of the remaining number of characters in the buffer) to the string manipulation function.
This warning helps identify the common error of sending the size of the target buffer instead of the size of the data. It does so by detecting when the size used to allocate the buffer is passed, unchanged, to the function putting data in the buffer.
Code analysis name: BAD_CONCATENATION
Example
The following code generates warning C6059:
#include <string.h>
#define MAX 25
void f( )
{
char szTarget[MAX];
const char *szState ="Washington";
const char *szCity="Redmond, ";
strncpy(szTarget, szCity, MAX);
szTarget[MAX -1] = '\0';
strncat(szTarget, szState, MAX); // wrong size
// code ...
}
To correct this warning, use the correct number of characters to concatenate as shown in the following code:
#include <string.h>
#define MAX 25
void f( )
{
char szTarget[MAX];
const char *szState ="Washington";
const char *szCity="Redmond, ";
strncpy(szTarget, szCity, MAX);
szTarget[MAX -1] = '\0';
strncat(szTarget, szState, MAX - strlen(szTarget)); // correct size
// code ...
}
To correct this warning using the safe string manipulation functions strncpy_s and strncat_s, see the following code:
#include <string.h>
void f( )
{
const char *szState ="Washington";
const char *szCity="Redmond, ";
size_t nTargetSize = strlen(szState) + strlen(szCity) + 1;
char *szTarget= new char[nTargetSize];
strncpy_s(szTarget, nTargetSize, szCity, strlen(szCity));
strncat_s(szTarget, nTargetSize, szState,
nTargetSize - strlen(szTarget));
// code ...
delete [] szTarget;
}
Heuristics
This analysis detects when the target buffer size is passed unmodified into the length parameter of the string manipulation function. This warning isn't given if some other value is passed as the length parameter, even if that value is incorrect.
Consider the following code that generates warning C6059:
#include <string.h>
#define MAX 25
void f( )
{
char szTarget[MAX];
const char *szState ="Washington";
const char *szCity="Redmond, ";
strncpy(szTarget, szCity, MAX);
szTarget[MAX -1] = '\0';
strncat(szTarget, szState, MAX); // wrong size
// code ...
}
The warning goes away by changing the MAX argument to strncat to MAX - 1, even though the length calculation is still incorrect.
#include <string.h>
#define MAX 25
void f( )
{
char szTarget[MAX];
const char *szState ="Washington";
const char *szCity="Redmond, ";
strncpy(szTarget, szCity, MAX);
szTarget[MAX -1] = '\0';
strncat(szTarget, szState, MAX - 1); // wrong size, but no warning
// code ...
}
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for