Tag Archives: Use of Path Manipulation Function without Maximum-sized Buffer

CWE-785 – Use of Path Manipulation Function without Maximum-sized Buffer

Read Time:58 Second

Description

The software invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.

Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath(), readlink(), PathAppend(), and others.

Windows provides a large number of utility functions that manipulate buffers containing filenames. In most cases, the result is returned in a buffer that is passed in as input. (Usually the filename is modified in place.) Most functions require the buffer to be at least MAX_PATH bytes in length, but you should check the documentation for each function individually. If the buffer is not large enough to store the result of the manipulation, a buffer overflow can occur.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-676
CWE-120
CWE-20

 

Consequences

Integrity, Confidentiality, Availability: Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Always specify output buffers large enough to handle the maximum-size possible result from path manipulation functions.

CVE References