CWE-131 – Incorrect Calculation of Buffer Size

Read Time:5 Minute, 12 Second

Description

The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-682
CWE-682
CWE-682
CWE-682
CWE-119

 

Consequences

Integrity, Availability, Confidentiality: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Memory, Modify Memory

If the incorrect calculation is used in the context of memory allocation, then the software may create a buffer that is smaller or larger than expected. If the allocated buffer is smaller than expected, this could lead to an out-of-bounds read or write (CWE-119), possibly causing a crash, allowing arbitrary code execution, or exposing sensitive data.

 

Potential Mitigations

Phase: Implementation

Description: 

When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts “&” characters to “&” for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.

Phase: Architecture and Design

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Implementation

Description: 

When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).

Phase: Implementation

Description: 

When allocating memory that uses sentinels to mark the end of a data structure – such as NUL bytes in strings – make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated.

Phase: Implementation

Effectiveness: Moderate

Description: 

Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.

This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131). Additionally, this only addresses potential overflow issues. Resource consumption / exhaustion issues are still possible.

Phase: Implementation

Description: 

Use sizeof() on the appropriate data type to avoid CWE-467.

Phase: Implementation

Description: 

Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify validation and will reduce surprises related to unexpected casting.

Phase: Architecture and Design

Description: 

Phase: Build and Compilation

Effectiveness: Defense in Depth

Description: 

This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Operation

Effectiveness: Defense in Depth

Description: 

This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Operation

Effectiveness: Defense in Depth

Description: 

Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-61] [REF-60].

This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software’s state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.

Phase: Implementation

Description: 

Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.

Phase: Architecture and Design, Operation

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Phase: Architecture and Design, Operation

Effectiveness: Limited

Description: 

The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

CVE References

  • CVE-2004-1363
    • substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed
  • CVE-2004-0747
    • substitution overflow: buffer overflow using expansion of environment variables
  • CVE-2005-2103
    • substitution overflow: buffer overflow using a large number of substitution strings
  • CVE-2005-3120
    • transformation overflow: product adds extra escape characters to incoming data, but does not account for them in the buffer length
  • CVE-2003-0899
    • transformation overflow: buffer overflow when expanding “>” to “>”, etc.
  • CVE-2001-0334
    • expansion overflow: buffer overflow using wildcards
  • CVE-2001-0248
    • expansion overflow: long pathname + glob = overflow
  • CVE-2001-0249
    • expansion overflow: long pathname + glob = overflow
  • CVE-2002-0184
    • special characters in argument are not properly expanded
  • CVE-2005-0490
    • needs closer investigation, but probably expansion-based
  • CVE-2004-0940
    • needs closer investigation, but probably expansion-based
  • CVE-2008-0599
    • Chain: Language interpreter calculates wrong buffer size (CWE-131) by using “size = ptr ? X : Y” instead of “size = (ptr ? X : Y)” expression.