Incorrect Calculation of Multi-Byte String LengthID: 135 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The software does not correctly calculate the length of strings
that can contain wide or multi-byte characters.
Applicable PlatformsLanguage: CLanguage: C++
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
IntegrityConfidentialityAvailability | Execute unauthorized code or
commands | This weakness may lead to a buffer overflow. Buffer overflows often
can be used to execute arbitrary code, which is usually outside the
scope of a program's implicit security policy. This can often be used to
subvert any other security service. |
AvailabilityConfidentiality | Read memoryDoS: crash / exit /
restartDoS: resource consumption
(CPU)DoS: resource consumption
(memory) | Out of bounds memory access will very likely result in the corruption
of relevant memory, and perhaps instructions, possibly leading to a
crash. Other attacks leading to lack of availability are possible,
including putting the program into an infinite loop. |
Confidentiality | Read memory | In the case of an out-of-bounds read, the attacker may have access to
sensitive information. If the sensitive information contains system
details, such as the current buffers position in memory, this knowledge
can be used to craft further attacks, possibly with more severe
consequences. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | Input Validation | Always verify the length of the string unit character. | | |
Implementation | Libraries or Frameworks | Use length computing functions (e.g. strlen, wcslen, etc.)
appropriately with their equivalent type (e.g.: byte, wchar_t,
etc.) | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-135 ChildOf CWE-890 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following example would be exploitable if any of the commented
incorrect malloc calls were used.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CLASP | | Improper string length checking | |
CERT C Secure Coding | STR33-C | Size wide character strings correctly | |
CERT Java Secure Coding | FIO10-J | Ensure the array is filled when using read() to fill an
array | |
References:
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 5, "Unicode and ANSI Buffer Size Mismatches" Page
153'. Published on 2002.