...
fgets() | fgetws() | mbstowcs() 1 | wcstombs() 1 |
mbrtoc16() 2 | mbrtoc32() 2 | mbsrtowcs() 1 | wcsrtombs() 1 |
mbtowc() 2 | mbrtowc() 1 2 | mblen() | mbrlen() |
memchr() | wmemchr() | memset() | wmemset() |
strftime() | wcsftime() | strxfrm()1 | wcsxfrm()1 |
strncat()2 | wcsncat()2 | snprintf() | vsnprintf() |
swprintf() | vswprintf() | setvbuf() | tmpnam_s() |
snprintf_s() | sprintf_s() | vsnprintf_s() | vsprintf_s() |
gets_s() | getenv_s() | wctomb_s() | mbstowcs_s()3 |
wcstombs_s()3 | memcpy_s()3 | memmove_s()3 | strncpy_s()3 |
strncat_s()3 | strtok_s()2 | strerror_s() | strnlen_s() |
asctime_s() | ctime_s() | snwprintf_s() | swprintf_s() |
vsnwprintf_s() | vswprintf_s() | wcsncpy_s()3 | wmemcpy_s()3 |
wmemmove_s()3 | wcsncat_s()3 | wcstok_s()2 | wcsnlen_s() |
wcrtomb_s() | mbsrtowcs_s()3 | wcsrtombs_s()3 | memset_s()4 |
...
Tool | Version | Checker | Description | |||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Astrée |
| array_out_of_bounds | Supported Astrée reports all out-of-bound accesses within library analysis stubs. The user may provide additional stubs for arbitrary (library) functions. Supported, but no explicit checker | |||||||||||||||||||||||
CodeSonar |
| LANG.MEM.BO | Buffer overrun | |||||||||||||||||||||||
Coverity |
| BUFFER_SIZE BAD_SIZEOF BAD_ALLOC_STRLEN BAD_ALLOC_ARITHMETIC | Implemented | |||||||||||||||||||||||
5.0 | Can detect violations of this rule with CERT C Rule Pack | Klocwork|||||||||||||||||||||||||
Helix QAC |
| Klocwork
| Klocwork
| C2840 DF2840, DF2841, DF2842, DF2843, DF2845, DF2846, DF2847, DF2848, DF2935, DF2936, DF2937, DF2938, DF4880, DF4881, DF4882, DF4883 | ||||||||||||||||||||||
| ABV.GENERAL | |||||||||||||||||||||||||
LDRA tool suite |
| 64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X | Partially Implmented | |||||||||||||||||||||||
Parasoft C/C++test |
| CERT_C-ARR38-a | Avoid overflow when reading from a buffer | |||||||||||||||||||||||
Parasoft Insure++ | Runtime analysis | |||||||||||||||||||||||||
PC-lint Plus |
| 419, 420 | Partially supported | |||||||||||||||||||||||
Polyspace Bug Finder |
| Checks for:
Invalid use of standard library memory routine Invalid use of standard library string routine | Array index outside bounds during array access String format specifier causes buffer argument of standard library functions to overflow Function writes to buffer at offset greater than buffer size Function writes to buffer at a negative offset from beginning of buffer Standard library memory function called with invalid arguments Standard library string function called with invalid arguments Data size argument is not computed from actual data length Pointer dereference outside its bounds Use of Pointer from an unsecure source may be NULL or point to unknown memory | PRQA QA-C | ||||||||||||||||||||||
Include Page | PRQA QA-C_v | PRQA QA-C_v | 2845, 2846, 2847, 2848, 2849, 2930, 2932, 2933, 2934 | Fully implemented | PRQA QA-C++ | |||||||||||||||||||||
Include Page | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V | 2840, 2841, 2842, 2843, 2844 | Fully implemented | ||||||||||||||||||||||
Include Page | Splint_V | Splint_V |
Related Vulnerabilities
CVE-2016-2208 results from a violation of this rule. The attacker can supply a value used to determine how much data is copied into a buffer via memcpy()
, resulting in a buffer overlow of attacker-controlled data.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
...
Taxonomy
...
Taxonomy item
...
Relationship
...
2017-10-30:MITRE:Unspecified Relationship
2018-10-18:CERT:Rule subset of CWE
Rule partially covered. | |||||||||
| |||||||||
TrustInSoft Analyzer |
| out of bounds read | Partially verified. |
Related Vulnerabilities
CVE-2016-2208 results from a violation of this rule. The attacker can supply a value used to determine how much data is copied into a buffer via memcpy()
, resulting in a buffer overlow of attacker-controlled data.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
C Secure Coding Standard | API00-C. Functions should validate their parameters | Prior to 2018-01-12: CERT: Unspecified Relationship |
C Secure Coding Standard | ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array | Prior to 2018-01-12: CERT: Unspecified Relationship |
C Secure Coding Standard | INT30-C. Ensure that unsigned integer operations do not wrap | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961:2013 | Forming invalid pointers by library functions [libptr] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TR 24772:2013 | Buffer Boundary Violation (Buffer Overflow) [HCB] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TR 24772:2013 | Unchecked Array Copying [XYW] | Prior to 2018-01-12: CERT: Unspecified Relationship |
CWE 2.11 | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | 2017-05-18: CERT: Rule subset of CWE |
CWE 2.11 | CWE-121, Stack-based Buffer Overflow | 2017-05-18: CERT: Partial overlap |
CWE 2.11 | CWE-123, Write-what-where Condition | 2017-05-18: CERT: Partial overlap |
CWE 2.11 | CWE-125, Out-of-bounds Read | 2017-05-18: CERT: Partial overlap |
CWE 2.11 | CWE-805, Buffer Access with Incorrect Length Value | 2017-05-18: CERT: Partial overlap |
CWE 3.1 | CWE-129, Improper Validation of Array Index | 2017-10-30:MITRE:Unspecified Relationship 2018-10-18:CERT:Partial Overlap |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-121 and ARR38-C
Intersection( CWE-121, ARR38-C) =
- Stack buffer overflow from passing invalid arguments to library function
CWE-121 – ARR38-C =
- Stack buffer overflows from direct out-of-bounds write
ARR38-C – CWE-121 =
- Out-of-bounds read from passing invalid arguments to library function
- Buffer overflow on heap or data segment from passing invalid arguments to library function
CWE-119 and ARR38-C
See CWE-119 and ARR30-C
CWE-125 and ARR38-C
Independent( ARR30-C, ARR38-C, EXP39-C, INT30-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
Intersection( ARR38-C, CWE-125) =
- Reading from an out-of-bounds array index or off the end of an array via standard library function
ARR38-C – CWE-125 =
- Writing to an out-of-bounds array index or off the end of an array via standard library function
CWE-125 – ARR38-C =
- Reading beyond a non-array buffer
- Reading beyond an array directly (using pointer arithmetic, or [] notation)
CWE-805 and ARR38-C
Intersection( CWE-805, ARR38-C) =
- Buffer access with incorrect length via passing invalid arguments to library function
CWE-805 – ARR38-C =
- Buffer access with incorrect length directly (such as a loop construct)
ARR38-C – CWE-805 =
- Out-of-bounds read or write that does not involve incorrect length (could use incorrect offset instead), that uses library function
CWE-123 and ARR38-C
Independent(ARR30-C, ARR38-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
CWE-123 includes any operation that allows an attacker to write an arbitrary value to an arbitrary memory location. This could be accomplished via overwriting a pointer with data that refers to the address to write, then when the program writes to a pointed-to value, supplying a malicious value. Vulnerable pointer values can be corrupted by:
- Stack return address
- Buffer overflow on the heap (which typically overwrites back/next pointer values)
- Write to untrusted array index (if it is also invalid)
- Format string exploit
- Overwriting a C++ object with virtual functions (because it has a virtual pointer)
- Others?
Intersection( CWE-123, ARR38-C) =
- Buffer overflow via passing invalid arguments to library function
ARR38-C – CWE-123 =
- Buffer overflow to “harmless” memory from passing invalid arguments to library function
- Out-of-bounds read from passing invalid arguments to library function
CWE-123 – ARR38-C =
- Arbitrary writes that do not involve standard C library functions
CWE-129 and ARR38-C
ARR38-C -CWE-129 = making library functions create invalid pointers without using untrusted data.
E.g. : char[3] array;
strcpy(array, "123456");
CWE-129 - ARR38-C = not validating an integer used as an array index or in pointer arithmetic
E.g.: void foo(int i) {
char array[3];
array[i];
}
Intersection(ARR38-C, CWE-129) = making library functions create invalid pointers using untrusted data.
eg: void foo(int i) {
char src[3], dest[3];
memcpy(dest, src, i);
}
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-121 and ARR38-C
Intersection( CWE-121, ARR38-C) =
- Stack buffer overflow from passing invalid arguments to library function
CWE-121 – ARR38-C =
- Stack buffer overflows from direct out-of-bounds write
ARR38-C – CWE-121 =
- Out-of-bounds read from passing invalid arguments to library function
- Buffer overflow on heap or data segment from passing invalid arguments to library function
CWE-119 and ARR38-C
See CWE-119 and ARR30-C
CWE-125 and ARR38-C
Independent( ARR30-C, ARR38-C, EXP39-C, INT30-C) STR31-C = Subset( Union( ARR30-C, ARR38-C)) STR32-C = Subset( ARR38-C)
Intersection( ARR38-C, CWE-125) =
- Reading from an out-of-bounds array index or off the end of an array via standard library function
ARR38-C – CWE-125 =
- Writing to an out-of-bounds array index or off the end of an array via standard library function
CWE-125 – ARR38-C =
- Reading beyond a non-array buffer
- Reading beyond an array directly (using pointer arithmetic, or [] notation)
CWE-805 and ARR38-C
Intersection( CWE-805, ARR38-C) =
- Buffer access with incorrect length via passing invalid arguments to library function
CWE-805 – ARR38-C =
- Buffer access with incorrect length directly (such as a loop construct)
ARR38-C – CWE-805 =
- Out-of-bounds read or write that does not involve incorrect length (could use incorrect offset instead), that uses library function
CWE-123 and ARR38-C
Independent(ARR30-C, ARR38-C) STR31-C = Subset( Union( ARR30-C, ARR38-C)) STR32-C = Subset( ARR38-C)
CWE-123 includes any operation that allows an attacker to write an arbitrary value to an arbitrary memory location. This could be accomplished via overwriting a pointer with data that refers to the address to write, then when the program writes to a pointed-to value, supplying a malicious value. Vulnerable pointer values can be corrupted by:
- Stack return address
- Buffer overflow on the heap (which typically overwrites back/next pointer values)
- Write to untrusted array index (if it is also invalid)
- Format string exploit
- Overwriting a C++ object with virtual functions (because it has a virtual pointer)
- Others?
Intersection( CWE-123, ARR38-C) =
- Buffer overflow via passing invalid arguments to library function
ARR38-C – CWE-123 =
- Buffer overflow to “harmless” memory from passing invalid arguments to library function
- Out-of-bounds read from passing invalid arguments to library function
CWE-123 – ARR38-C =
- Arbitrary writes that do not involve standard C library functions
CWE-129 and ARR38-C
ARR38-C = Subset( CWE-129)
...
Bibliography
[Cassidy 2014] | Existential Type Crisis : Diagnosis of the OpenSSL Heartbleed Bug |
[IETF: RFC 6520] | |
[ISO/IEC TS 17961:2013] | |
[VU#720951] |
...