CWE-806 Details

CWE-806

Buffer Access Using Size of Source Buffer
Incomplete
2010-02-16
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Buffer Access Using Size of Source Buffer

The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.

CWE-Beschreibung

When the size of the destination is smaller than the size of the source, a buffer overflow could occur.

Allgemeine Informationen

Einführungsmodi

Implementation

Anwendbare Plattformen

Sprache

Class: Memory-Unsafe (Undetermined)
Name: C (Sometimes)
Name: C++ (Sometimes)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
AvailabilityModify Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU)

Note: Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
Integrity
Confidentiality
Availability		Read Memory, Modify Memory, Execute Unauthorized Code or Commands

Note: Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy.
Access ControlBypass Protection Mechanism

Note: When the consequence is arbitrary code execution, this can often be used to subvert any other security service.

Mögliche Gegenmaßnahmen

Phases : Architecture and Design
Use an abstraction library to abstract away risky APIs. Examples include the Safe C String Library (SafeStr) by Viega, and the Strsafe.h library from Microsoft. This is not a complete solution, since many buffer overflows are not related to strings.
Phases : Operation // Build and Compilation
Phases : Implementation
Programmers should adhere to the following rules when allocating and managing their applications memory: Double check that your buffer is as large as you specify. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if calling this function in a loop and make sure there is no danger of writing past the allocated space. Truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Phases : Operation // Build and Compilation
Phases : Operation
Phases : Build and Compilation // Operation
Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is good practice to implement strategies to increase the workload of an attacker, such as leaving the attacker to guess an unknown value that changes every program execution.

Erkennungsmethoden

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Wirksamkeit : High

Automated Dynamic Analysis

Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Wirksamkeit : Moderate

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Referenzen

REF-56

Using the Strsafe.h Functions
Microsoft.
https://learn.microsoft.com/en-us/windows/win32/menurc/strsafe-ovw?redirectedfrom=MSDN

REF-57

Safe C String Library v1.0.3
Matt Messier, John Viega.
http://www.gnu-darwin.org/www001/ports-1.5a-CURRENT/devel/safestr/work/safestr-1.0.3/doc/safestr.html

REF-58

Address Space Layout Randomization in Windows Vista
Michael Howard.
https://learn.microsoft.com/en-us/archive/blogs/michael_howard/address-space-layout-randomization-in-windows-vista

REF-59

Limiting buffer overflows with ExecShield
Arjan van de Ven.
https://archive.is/saAFo

REF-60

PaX
https://en.wikipedia.org/wiki/Executable_space_protection#PaX

REF-61

Understanding DEP as a mitigation technology part 1
Microsoft.
https://msrc.microsoft.com/blog/2009/06/understanding-dep-as-a-mitigation-technology-part-1/

REF-64

Position Independent Executables (PIE)
Grant Murphy.
https://www.redhat.com/en/blog/position-independent-executables-pie

REF-1332

Prelink and address space randomization
John Richard Moser.
https://lwn.net/Articles/190139/

REF-1333

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Dmitry Evtyushkin, Dmitry Ponomarev, Nael Abu-Ghazaleh.
http://www.cs.ucr.edu/~nael/pubs/micro16.pdf

REF-1334

Stack Frame Canary Validation (D3-SFCV)
D3FEND.
https://d3fend.mitre.org/technique/d3f:StackFrameCanaryValidation/

REF-1335

Segment Address Offset Randomization (D3-SAOR)
D3FEND.
https://d3fend.mitre.org/technique/d3f:SegmentAddressOffsetRandomization/

REF-1336

Process Segment Execution Prevention (D3-PSEP)
D3FEND.
https://d3fend.mitre.org/technique/d3f:ProcessSegmentExecutionPrevention/

REF-1337

Bypassing Browser Memory Protections: Setting back browser security by 10 years
Alexander Sotirov and Mark Dowd.
https://www.blackhat.com/presentations/bh-usa-08/Sotirov_Dowd/bh08-sotirov-dowd.pdf

REF-1518

AddressSanitizer
https://clang.llvm.org/docs/AddressSanitizer.html

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
CWE Content Team MITRE 2010-01-15 +00:00 2010-02-16 +00:00 1.8

Änderungen

Name Organisation Datum Kommentar
CWE Content Team MITRE 2011-03-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Potential_Mitigations, References
CWE Content Team MITRE 2014-02-18 +00:00 updated Potential_Mitigations, References
CWE Content Team MITRE 2017-11-08 +00:00 updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Common_Consequences
CWE Content Team MITRE 2021-07-20 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Functional_Areas
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Detection_Factors, References
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.