用户工具

站点工具


cwe:cn:definition:131

CWE-131:缓冲区大小计算不正确

Description Summary

The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

Likelihood of Exploit

High to Very High

Common Consequences

Scope Technical Impace Note
Integrity
Availability
Confidentiality
DoS: crash / exit / restart
Execute unauthorized code or commands
Read memory
Modify memory
If the incorrect calculation is used in the context of memory allocation, then the software may create a buffer that is smaller or larger than expected. If the allocated buffer is smaller than expected, this could lead to an out-of-bounds read or write (CWE-119), possibly causing a crash, allowing arbitrary code execution, or exposing sensitive data.

Detection Methods

Detection Method - 1

Automated Static Analysis

This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.

Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or do not require any code changes.

Automated static analysis might not be able to detect the usage of custom API functions or third-party libraries that indirectly invoke SQL commands, leading to false negatives - especially if the API/library code is not available for analysis.

This is not a perfect solution, since 100% accuracy and coverage are not feasible.
2013/05/30 09:36

Detection Method - 2

Automated Dynamic Analysis

This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

2013/05/30 09:36

Detection Method - 3

Manual Analysis

Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.

2013/05/30 09:36

Detection Method - 4

Manual Analysis

This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.

Specifically, manual analysis can be useful for finding this weakness, and for minimizing false positives assuming an understanding of business logic. However, it might not achieve desired code coverage within limited time constraints. For black-box analysis, if credentials are not known for privileged accounts, then the most security-critical portions of the application may not receive sufficient attention.

Consider using OWASP CSRFTester to identify potential issues and aid in manual analysis.

These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
2013/05/30 09:37

Detection Method - 5

Automated Static Analysis - Binary / Bytecode

According to SOAR, the following detection techniques may be useful:

Detection Method - 6

Manual Static Analysis - Binary / Bytecode

According to SOAR, the following detection techniques may be useful:

Detection Method - 7

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Detection Method - 8

Automated Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Detection Method - 9

Architecture / Design Review

According to SOAR, the following detection techniques may be useful:

Potential Mitigations

Mitigation - 1

Implementation

When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts ”&” characters to ”&” for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.

Mitigation - 2

Implementation

Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, “not-a-number” calculations, and how the language handles numbers that are too large or too small for its underlying representation. [R.190.3]

Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.

2013/05/30 13:23

Mitigation - 3

Implementation

Strategy:Input Validation

Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.

2013/05/30 09:37

Mitigation - 4

Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

2013/05/30 09:37

Mitigation - 5

Implementation

When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).

Mitigation - 6

Implementation

When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated.

Mitigation - 7

Implementation

Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.

2013/05/30 09:37

Mitigation - 8

Implementation

Use sizeof() on the appropriate data type to avoid CWE-467.

Mitigation - 9

Implementation

Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify sanity checks and will reduce surprises related to unexpected casting.

Mitigation - 10

Architecture and Design

Strategy:Libraries or Frameworks

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

For example, use anti-CSRF packages such as the OWASP CSRFGuard. [R.352.3]

Another example is the ESAPI Session Management control, which includes a component for CSRF. [R.352.9]

2013/05/30 09:36

Mitigation - 11

Build and Compilation

Strategy:Compilation or Build Hardening

Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows.

For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice.

2013/05/30 09:37

Mitigation - 12

Operation

Strategy:Environment Hardening

Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.

Examples include Address Space Layout Randomization (ASLR) [R.806.3] [R.806.5] and Position-Independent Executables (PIE) [R.806.7].

2013/05/30 09:37

Mitigation - 13

Operation

Strategy:Environment Hardening

Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [R.806.5] [R.806.6].

2013/05/30 09:37

Mitigation - 14

Implementation

Strategy:Compilation or Build Hardening

Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.

2013/05/30 09:37

Mitigation - 15

Architecture and Design Operation

Strategy:Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [R.98.2]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

2013/05/30 09:37

Mitigation - 16

Architecture and Design Operation

Strategy:Sandbox or Jail

Run the code in a “jail” or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.

OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.

This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.

Be careful to avoid CWE-243 and other weaknesses related to jails.

2013/05/30 09:37

Maintenance Notes

Maintenance Note - 1

This is a broad category. Some examples include:

This level of detail is rarely available in public reports, so it is difficult to find good examples.

Maintenance Note - 2

This weakness may be a composite or a chain. It also may contain layering or perspective differences.

This issue may be associated with many different types of incorrect calculations (CWE-682), although the integer overflow (CWE-190) is probably the most prevalent. This can be primary to resource consumption problems (CWE-400), including uncontrolled memory allocation (CWE-789). However, its relationship with out-of-bounds buffer access (CWE-119) must also be considered.

Demonstrative Examples

Example - 1

The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget.

int i; 
unsigned int numWidgets; 
Widget **WidgetList; 
 
numWidgets = GetUntrustedSizeValue(); 
if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) { 
ExitError("Incorrect number of widgets requested!"); 
 
} 
WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *)); 
printf("WidgetList ptr=%p\n", WidgetList); 
for(i=0; i<numWidgets; i++) { 
WidgetList[i] = InitializeWidget(); 
 
} 
WidgetList[numWidgets] = NULL; 
showWidgets(WidgetList); 

However, this code contains an off-by-one calculation error. It allocates exactly enough space to contain the specified number of widgets, but it does not include the space for the NULL pointer. As a result, the allocated buffer is smaller than it is supposed to be (CWE-131). So if the user ever requests MAX_NUM_WIDGETS, there is an off-by-one buffer overflow when the NULL is assigned. Depending on the environment and compilation settings, this could cause memory corruption.

2013/05/30 13:23

Example - 2

The following image processing code allocates a table for images.

img_t table_ptr; /*struct containing img data, 10kB each*/ 
int num_imgs; 
... 
num_imgs = get_num_imgs(); 
table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs); 
... 

This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119).

2013/05/30 13:23

Example - 3

This example applies an encoding procedure to an input string and stores it into a buffer.

char * copy_input(char *user_supplied_string){ 
int i, dst_index; 
char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE); 
if ( MAX_SIZE <= strlen(user_supplied_string) ){ 
die("user string too long, die evil hacker!"); 
 
} 
dst_index = 0; 
for ( i = 0; i < strlen(user_supplied_string); i++ ){ 
if( '&' == user_supplied_string[i] ){ 
dst_buf[dst_index++] = '&'; 
dst_buf[dst_index++] = 'a'; 
dst_buf[dst_index++] = 'm'; 
dst_buf[dst_index++] = 'p'; 
dst_buf[dst_index++] = ';'; 
 
} 
else if ('<' == user_supplied_string[i] ){ 
/* encode to &lt; */ 
 
} 
else dst_buf[dst_index++] = user_supplied_string[i]; 
 
} 
return dst_buf; 
 
} 

The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands.

2013/05/30 13:23

Example - 4

The following code is intended to read an incoming packet from a socket and extract one or more headers.

DataPacket *packet; 
int numHeaders; 
PacketHeader *headers; 
 
sock=AcceptSocketConnection(); 
ReadPacket(packet, sock); 
numHeaders =packet->headers; 
 
if (numHeaders > 100) { 
ExitError("too many headers!"); 
 
} 
headers = malloc(numHeaders * sizeof(PacketHeader); 
ParsePacketHeaders(packet, headers); 

The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow.

2013/05/30 13:23

Example - 5

The following code attempts to save three different identification numbers into an array. The array is allocated from memory using a call to malloc().

int *id_sequence; 
 
/* Allocate space for an array of three ids. */ 
 
id_sequence = (int*) malloc(3); 
if (id_sequence == NULL) exit(1); 
 
/* Populate the id array. */ 
 
id_sequence[0] = 13579; 
id_sequence[1] = 24680; 
id_sequence[2] = 97531; 

The problem with the code above is the value of the size parameter used during the malloc() call. It uses a value of '3' which by definition results in a buffer of three bytes to be created. However the intention was to create a buffer that holds three ints, and in C, each int requires 4 bytes worth of memory, so an array of 12 bytes is needed, 4 bytes for each int. Executing the above code could result in a buffer overflow as 12 bytes of data is being saved into 3 bytes worth of allocated space. The overflow would occur during the assignment of id_sequence[0] and would continue with the assignment of id_sequence[1] and id_sequence[2].

The malloc() call could have used '3*sizeof(int)' as the value for the size parameter in order to allocate the correct amount of space required to store the three ints.

Observed Examples

Reference Description
CVE-2004-1363substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed
CVE-2004-0747substitution overflow: buffer overflow using expansion of environment variables
CVE-2005-2103substitution overflow: buffer overflow using a large number of substitution strings
CVE-2005-3120transformation overflow: product adds extra escape characters to incoming data, but does not account for them in the buffer length
CVE-2003-0899transformation overflow: buffer overflow when expanding ”>” to ”&gt;”, etc.
CVE-2001-0334expansion overflow: buffer overflow using wildcards
CVE-2001-0248expansion overflow: long pathname + glob = overflow
CVE-2001-0249expansion overflow: long pathname + glob = overflow
CVE-2002-0184special characters in argument are not properly expanded
CVE-2004-0434small length value leads to heap overflow
CVE-2002-1347multiple variants
CVE-2005-0490needs closer investigation, but probably expansion-based
CVE-2004-0940needs closer investigation, but probably expansion-based
CVE-2008-0599Chain: Language interpreter calculates wrong buffer size (CWE-131) by using “size = ptr ? X : Y” instead of “size = (ptr ? X : Y)” expression.
cwe/cn/definition/131.txt · 最后更改: 2014/09/04 14:25 (外部编辑)