...
For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-119, "Failure to Constrain Operations constrain operations within the Bounds bounds of a Memory Buffermemory buffer," and CWE-121, "Stack-based Buffer Overflowbuffer overflow."
| Code Block | ||||
|---|---|---|---|---|
| ||||
error_status_t _RemoteActivation(
/* ... */, WCHAR *pwszObjectName, ... ) {
*phr = GetServerPath(
pwszObjectName, &pwszObjectName);
/* ... */
}
HRESULT GetServerPath(
WCHAR *pwszPath, WCHAR **pwszServerPath ){
WCHAR *pwszFinalPath = pwszPath;
WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1];
hr = GetMachineName(pwszPath, wszMachineName);
*pwszServerPath = pwszFinalPath;
}
HRESULT GetMachineName(
WCHAR *pwszPath,
WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
pwszServerName = wszMachineName;
LPWSTR pwszTemp = pwszPath + 2;
while ( *pwszTemp != L'\\' )
*pwszServerName++ = *pwszTemp++;
/* ... */
}
|
...
Noncompliant Code Example (Using Past the End Index)
Similarly to the ARR30-C. Do not form or use out of bounds pointers or array subscripts dereferencing- past-the-end-pointer error, the function insert_in_table() in the following noncompliant code example uses an otherwise valid index to attempt to store a value in an element just past the end of an array.
...
For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-122, "Heap-based Buffer Overflowbuffer overflow," and CWE-129, "Improper Validation validation of Array Indexarray index."
| Code Block | ||||
|---|---|---|---|---|
| ||||
static int *table = NULL;
static size_t size = 0;
int insert_in_table(size_t pos, int value) {
if (size < pos) {
int *tmp;
size = pos + 1;
tmp = (int*)realloc(table, sizeof *table * size);
if (NULL == tmp)
return -1;
table = tmp;
}
table[pos] = value;
return 0;
}
|
...
For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-121, "Access of Memory Location memory location after End end of Bufferbuffer," and CWE-805, "Buffer Access with Incorrect Length Valueaccess with incorrect length value."
| Code Block | ||||
|---|---|---|---|---|
| ||||
void f(FILE *file) {
wchar_t wbuf[BUFSIZ];
const size_t size = sizeof *wbuf;
const size_t nitems = sizeof wbuf;
size_t nread;
nread = fread(wbuf, size, nitems, file);
/* ... */
}
|
...
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| ARRAY_VS_SINGLETON | Can detect the access of memory past the end of a memory buffer/array. | |||||||
| NEGATIVE_RETURNS | Can detect when the loop bound may become negative. | |||||||
| OVERRUN_STATIC | Can detect the out-of-bound read/write to array allocated statically or dynamically. | |||||||
| ABV.ITERATOR SV.TAINTED.LOOP_BOUND | ||||||||
Compass/ROSE | Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern: for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, we can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax. | ||||||||
| LDRA tool suite |
| 47 S | Partially implemented. |
...
ISO/IEC TR 24772 "XYX Boundary Beginning Violationbeginning violation," "XYY Wrap-around Errorerror," and "XYZ Unchecked Array Indexingarray indexing"
MITRE CWE: CWE-119, "Failure to Constrain Operations constrain operations within the Bounds bounds of a Memory Buffermemory buffer"
MITRE CWE: CWE-121, "Stack-based Buffer Overflowbuffer overflow"
MITRE CWE: CWE-122, "Heap-based Buffer Overflowbuffer overflow"
MITRE CWE: CWE-129, "Unchecked Array Indexingarray indexing"
MITRE CWE: CWE-788, "Access of Memory Location memory location after End end of Bufferbuffer"
MITRE CWE: CWE-805, "Buffer Access with Incorrect Length Valueaccess with incorrect length value"
Bibliography
[Finlay 2003]
[Microsoft 2003]
[Pethia 2003]
[Seacord 2005a] Chapter 1, "Running with Scissors"
[Viega 2005] Section 5.2.13, "Unchecked Array Indexingarray indexing"
[xorl 2009 ] "CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation"
...