Page History

...

...

enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int* f(size_t index) {
  if (index < TABLESIZE)
    return table + index;

  return NULL;
}

Noncompliant Code Example (Dereferencing

...

Past The End Pointer)

The noncompliant code example below shows the flawed logic in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that was exploited by the W32.Blaster.Worm.  The error is that the while loop in the {{GetMachineName()}} function (used to extract the host name from a longer string) is not sufficiently bounded. When the character array pointed to by {{pwszTemp}} does not contain the backslash character among the first {{MAX_COMPUTERNAME_LENGTH_FQDN + 1}} elements the final valid iteration of the loop will dereference the past the end pointer resulting in exploitable undefined behavior [44|CC. Undefined Behavior#ub_44]. In this case, the actual exploit allowed the attacker to inject executable code into a running program. Economic damage from the Blaster worm has been estimated to be at least $525 million \[[Pethia 03|AA. References#Pethia 03]\].

For a discussion of this programming error in the Common Weakness Enumeration database see CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer and CWE-121: Stack-based Buffer Overflow].

error_status_t _RemoteActivation(
 

error_status_t _RemoteActivation(
      /* ... */, WCHAR *pwszObjectName, ... ) {
   *phr = GetServerPath(
              pwszObjectName, &pwszObjectName);
    /* ... */
}

HRESULT GetServerPath(
  WCHAR *pwszPath, WCHAR **pwszServerPath ){
  WCHAR *pwszFinalPath = pwszPath;
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1];
  hr = GetMachineName(pwszPath, wszMachineName);
  *pwszServerPath = pwszFinalPath;
}

HRESULT GetMachineName(
  WCHAR *pwszPath,
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
  pwszServerName = wszMachineName;
  LPWSTR pwszTemp = pwszPath + 2;
  while ( *pwszTemp != L'\\' )
    *pwszServerName++ = *pwszTemp++;
  /* ... */
}

...

This compliant solution is for illustrative purposes and is not necessarily the solution implemented by Microsoft. This particular "solution" may not be correct, because there is no guarantee that a L'
' is found.

Noncompliant Code Example (

...

Using Past The End Index)

The noncompliant example below declares {{matrix}} to consist of 7 rows and 5 columns in row-major order. The function {{init_matrix}} then iterates over all 35 elements in an attempt to initialize each to the value given by the function argument {{x}}. However, since multidimensional arrays are declared in C in row-major order and the function iterates over the elements in column-major order, when the value of {{j}} reaches the value {{COLS}} during the first iteration of the outer loop the function attempts to access element {{matrix\[0\]\[5\]}}. Since the type of {{matrix}} is {{int\[7\]\[5\]}}, the {{j}} subscript is out of range and the access has undefined behavior [46|CC. Undefined Behavior#ub_46].

static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != COLS; ++i)
    for (size_t j = 0; j != ROWS; ++j)
      matrix[i][j] = x;
}

Compliant Solution

The compliant solution below takes care to avoid using out-of-range indices by initializing matrix elements in the same row-major order as multidimensional objects are declared in C.

static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != ROWS; ++i)
    for (size_t j = 0; j != COLS; ++j)
      matrix[i][j] = x;
}

...

Similarly to the #Dereferencing Past The End Pointer error, the function insert_in_table() in the noncompliant code example below uses an otherwise valid index to attempt to store a value in an element just past the end of an array.

First, the function incorrectly validates the index pos against the size of the buffer. When the index is equal to size the function will attempt to store value in a memory location just past the end of the buffer.

Second, when the index is greater than size the function modifies size before growing the size of the buffer. If the call to realloc() fails to increase the size of the buffer, the next call to the function with a value of pos equal to or greater than the original value of size will again attempt to store value in a memory location just past the end of the buffer or beyond.

For a discussion of this programming error in the Common Weakness Enumeration database see CWE-122: Heap-based Buffer Overflow, and CWE-129: Improper Validation of Array Index.

static int *table = NULL;
static size_t size = 0;

int insert_in_table(size_t pos, int value) {
  if (size < pos) {
    int *tmp;
    size = pos + 1;
    tmp = (int*)realloc(table, sizeof *table * size);
    if (NULL == tmp)
      return -1;

    table = tmp;
  }

  table[pos] = value;
  return 0;
}

Compliant Solution

The compliant solution below correctly validates the index pos by using the <= operator and avoids modifying size until it has verified that the call to realloc() was successful.

static int *table = NULL;
static size_t size = 0;

int insert_in_table(size_t pos, int value) {
  if (size <= pos) {
    int *tmp = (int*)realloc(table, sizeof *table * (pos + 1));
    if (NULL == tmp)
      return -1;   /* indicate failure */

    /* modify size only after realloc succeeds */
    size  = pos + 1;
    table = tmp;
  }

  table[pos] = value;
  return 0;
}

Noncompliant Code Example (Apparently Accessible Out Of Range Index)

The noncompliant example below declares {{matrix}} to consist of 7 rows and 5 columns in row-major order. The function {{init_matrix}} then iterates over all 35 elements in an attempt to initialize each to the value given by the function argument {{x}}. However, since multidimensional arrays are declared in C in row-major order and the function iterates over the elements in column-major order, when the value of {{j}} reaches the value {{COLS}} during the first iteration of the outer loop the function attempts to access element {{matrix\[0\]\[5\]}}. Since the type of {{matrix}} is {{int\[7\]\[5\]}}, the {{j}} subscript is out of range and the access has undefined behavior [46|CC. Undefined Behavior#ub_46].

static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != COLS; ++i)
    for (size_t j = 0; j != ROWS; ++j)
      matrix[i][j] = x;
}

Compliant Solution

The compliant solution below takes care to avoid using out-of-range indices by initializing matrix elements in the same row-major order as multidimensional objects are declared in C.

static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != ROWS; ++i)
    for (size_t j = 0; j != COLS; ++j)
      matrix[i][j] = x;
}

Noncompliant Code Example (Pointer Past Flexible Array Member)

...

Noncompliant Code Example (Pointer Past Flexible Array Member)

In the following noncompliant example the function find() attempts to iterate over the elements of the flexible array member buf, starting with the second element. However, since function g() does not allocate any storage for the member, the expression first++ in find() will attempt to form a pointer just past the end of buf when there are no elements. This attempt results in undefined behavior 59.

struct S {
  size_t len;
  char   buf[];   /* flexible array member */
};

char* find(const struct S *s, int c) {
  char *first = s->buf;
  char *last  = s->buf + s->len;

  while (first++ != last)   /* undefined behavior here */
    if (*first == (unsigned char)c)
      return first;

  return NULL;
}

void g() {
  struct S *s = (struct S*)malloc(sizeof (struct S));
  s->len = 0;
  /* ... */
  char *where = find(s, '.');
  /* ... */
}

Compliant Solution

The compliant solution avoids incrementing the pointer unless a value past the end is known to exist.

...

In the following noncompliant example the function f() calls fread() to read nitems of type wchar_t, each size bytes in size, into an array of BUFSIZ elements, wbuf. However, the expression used to compute the value of nitems fails to account for the fact that unlike the size of char, the size of wchar_t may be greater than 1. Thus, fread() may attempt to form pointers past the end of wbuf and use them to assign values to non-existing elements of the array. Such an attempt results in undefined behavior 103. A likely manifestation of this undefined behavior is classic buffer overflow which is often exploitable by code injection attackslikely manifestation of this undefined behavior is classic buffer overflow which is often exploitable by code injection attacks.

For a discussion of this programming error in the Common Weakness Enumeration database see CWE-121: Access of Memory Location After End of Buffer, and CWE-805: Buffer Access with Incorrect Length Value.

void f(FILE *file) {
  wchar_t wbuf[BUFSIZ];

  const size_t size = sizeof *wbuf;
  const size_t nitems = sizeof wbuf;

  size_t nread;

  nread = fread(wbuf, size, nitems, file);
  /* ... */
}

Compliant Solution

The compliant solution is to correctly compute the maximum number of items for fread() to read from the file.

void f(FILE *file) {
  wchar_t wbuf[BUFSIZ];

  const size_t size = sizeof *wbuf;
  const size_t nitems = sizeof wbuf / size;

  size_t nread;

  nread = fread(wbuf, size, nitems, file);
  /* ... */
}

Risk Assessment

Accessing out of range pointers or array subscripts for writing can result in a buffer overflow and the execution of arbitrary code with the permissions of the vulnerable process or unintended information disclosure.

Automated Detection

The Coverity Prevent Version 5.0 ARRAY_VS_SINGLETON checker can detect the access of memory past the end of a memory buffer/array. The NEGATIVE_RETURNS checker can detect when the loop bound may become negative. The OVERRUN_STATIC and OVERRUN_DYNAMIC checker can detect the out of bound read/write to array allocated statically or dynamically.

Compass/ROSE could be configured to catch violations of this rule. The way to catch the NCE is to first hunt for example code that follows this pattern:

for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; *pwszTemp++;)

In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer.

Once this case is handled, we can handle cases like the real NCE, which is effectively the same semantics, just different syntax.

Klocwork can detect violations of this rule with the ABV.ITERATOR and SV.TAINTED.LOOP_BOUND checker.  See Klocwork Cross Reference

Related Vulnerabilities

[CVE-2008-1517|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1517] results from a violation of this rule. Before Mac OSX version 10.5.7, the xnu kernel accessed an array at an unverified, user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory \[[xorl 2009|http://xorl.wordpress.com/2009/06/09/cve-2008-1517-apple-mac-os-x-xnu-missing-array-index-validation/]\].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

TO DO.

References

const size_t nitems = sizeof wbuf / size;

  size_t nread;

  nread = fread(wbuf, size, nitems, file);
  /* ... */
}

Risk Assessment

Accessing out of range pointers or array subscripts for writing can result in a buffer overflow and the execution of arbitrary code with the permissions of the vulnerable process or unintended information disclosure.

Automated Detection

The Coverity Prevent Version 5.0 ARRAY_VS_SINGLETON checker can detect the access of memory past the end of a memory buffer/array. The NEGATIVE_RETURNS checker can detect when the loop bound may become negative. The OVERRUN_STATIC and OVERRUN_DYNAMIC checker can detect the out of bound read/write to array allocated statically or dynamically.

Compass/ROSE could be configured to catch violations of this rule. The way to catch the NCE is to first hunt for example code that follows this pattern:

for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; *pwszTemp++;)

In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer.

Once this case is handled, we can handle cases like the real NCE, which is effectively the same semantics, just different syntax.

Klocwork can detect violations of this rule with the ABV.ITERATOR and SV.TAINTED.LOOP_BOUND checker.  See Klocwork Cross Reference

Related Vulnerabilities

[CVE-2008-1517|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1517] results from a violation of this rule. Before Mac OSX version 10.5.7, the xnu kernel accessed an array at an unverified, user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory \[[xorl 2009|http://xorl.wordpress.com/2009/06/09/cve-2008-1517-apple-mac-os-x-xnu-missing-array-index-validation/]\].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

TO DO.

References

\[[ISO/IEC 9899:1999|AA. References#ISO/IEC 9899-1999]\] Section 6.7.5.2, "Array declarators"
\[[ISO/IEC PDTR 24772|AA. References#ISO/IEC PDTR 24772]\] "XYX Boundary Beginning Violation," "XYY Wrap-around Error," and "XYZ Unchecked Array Indexing"
\[[CWE|AA. References#CWE]\] [CWE-119|http://cwe.mitre.org/data/definitions/119.html]: Failure to Constrain Operations within the Bounds of a Memory Buffer
\[[CWE|AA. References#CWE]\] [CWE-121|http://cwe.mitre.org/data/definitions/121.html]: Stack-based Buffer Overflow
\[[CWE|AA. References#CWE]\] [CWE-122|http://cwe.mitre.org/data/definitions/122.html]: Heap-based Buffer Overflow
\[[CWE|AA. References#CWE]\] [CWE-129|http://cwe.mitre.org/data/definitions/129.html]: Unchecked Array Indexing

\[[ISO/IEC 9899:1999|AA. References#ISO/IEC 9899-1999]\] Section 6.7.5.2, "Array declarators"
\[[ISO/IEC PDTR 24772|AA. References#ISO/IEC PDTR 24772]\] "XYX Boundary Beginning Violation," "XYY Wrap-around Error," and "XYZ Unchecked Array Indexing"
\[[CWE|AA. References#CWE]\] [CWE-119788|http://cwe.mitre.org/data/definitions/119788.html]: FailureAccess toof ConstrainMemory OperationsLocation withinAfter theEnd Bounds of a Memory Buffer
\[[CWE|AA. References#CWE]\] [CWE-129805|http://cwe.mitre.org/data/definitions/129805.html]: Unchecked Array IndexingBuffer Access with Incorrect Length Value
\[[Finlay 03|AA. References#Finlay 03]\]
\[[Microsoft 03|AA. References#Microsoft 03]\]
\[[Pethia 03|AA. References#Pethia 03]\]
\[[Seacord 05a|AA. References#Seacord 05]\] Chapter 1, "Running with Scissors"
\[[Viega 05|AA. References#Viega 05]\] Section 5.2.13, "Unchecked array indexing"
\[[xorl 2009|AA. References#xorl 2009] \] ["CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation"|http://xorl.wordpress.com/2009/06/09/cve-2008-1517-apple-mac-os-x-xnu-missing-array-index-validation/]

...