...
The p pointer, along with payload and p1, contain data from a packet. The code allocates a buffer sufficient to contain payload bytes, with some overhead, then copies payload bytes starting at p1 into this buffer and sends it to the client. Notably absent from this code are any checks that the payload integer variable extracted from the heartbeat packet corresponds to the size of the packet data. Because the client can specify an arbitrary value of payload, an attacker can cause the server to read and return the contents of memory beyond the end of the packet data, which violates INT04-C. Enforce limits on integer values originating from tainted sources. The resulting call to memcpy() can then copy the contents of memory past the end of the packet data and the packet itself, potentially exposing sensitive data to the attacker. This call to memcpy() violates ARR38-C. Guarantee that library functions do not form invalid pointers. A version of ARR38-C also appears in ISO/IEC TS 17961:2013, "Forming invalid pointers by library functions [libptr]." This rule would require a conforming analyzer to diagnose the Heartbleed vulnerability.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| C Secure Coding Standard | API00-C. Functions should validate their parameters ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array INT30-C. Ensure that unsigned integer operations do not wrap |
| ISO/IEC TS 17961:2013 | Forming invalid pointers by library functions [libptr] |
| ISO/IEC TR 24772:2013 | Buffer Boundary Violation (Buffer Overflow) [HCB] |
| MITRE CWE
| CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer |
...