CWE-805
Buffer Access with Incorrect Length Value
Hoog
Incomplete
2010-02-16
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Naam: Buffer Access with Incorrect Length Value
The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
CWE-beschrijving
When the length value exceeds the size of the destination, a buffer overflow could occur.
Algemene informatie
Introductiemodi
ImplementationToepasselijke platforms
Taal
Class: Memory-Unsafe (Undetermined)Name: C (Often)
Name: C++ (Often)
Class: Assembly (Undetermined)
Veelvoorkomende gevolgen
| Bereik | Impact | Waarschijnlijkheid |
|---|---|---|
| Integrity Confidentiality Availability | Read Memory, Modify Memory, Execute Unauthorized Code or Commands Note: Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service. | |
| Availability | Modify Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU) Note: Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. |
Waargenomen voorbeelden
| Referenties | Beschrijving |
|---|---|
CVE-2011-1959 | Chain: large length value causes buffer over-read (CWE-126) |
CVE-2011-1848 | Use of packet length field to make a calculation, then copy into a fixed-size buffer |
CVE-2011-0105 | Chain: retrieval of length value from an uninitialized memory location |
CVE-2011-0606 | Crafted length value in document reader leads to buffer overflow |
CVE-2011-0651 | SSL server overflow when the sum of multiple length fields exceeds a given value |
CVE-2010-4156 | Language interpreter API function doesn't validate length argument, leading to information exposure |
Mogelijke risicobeperkingen
Phases : RequirementsPhases : Architecture and Design
Phases : Operation // Build and Compilation
Phases : Implementation
Phases : Architecture and Design
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Phases : Operation // Build and Compilation
Phases : Operation
Phases : Architecture and Design // Operation
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the product or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Phases : Architecture and Design // Operation
Detectiemethoden
Automated Static Analysis
Effectiviteit : HighAutomated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.Effectiviteit : Moderate
Manual Analysis
Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.Automated Dynamic Analysis
Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].Effectiviteit : Moderate
Notities kwetsbaarheidsmapping
Rechtvaardiging : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Gerelateerde aanvalspatronen
| CAPEC-ID | Naam aanvalspatroon |
|---|---|
| CAPEC-100 | Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice. |
| CAPEC-256 | SOAP Array Overflow
An attacker sends a SOAP request with an array whose actual length exceeds the length indicated in the request. If the server processing the transmission naively trusts the specified size, then an attacker can intentionally understate the size of the array, possibly resulting in a buffer overflow if the server attempts to read the entire data set into the memory it allocated for a smaller array. |
Referenties
REF-7
Writing Secure CodeMichael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
REF-58
Address Space Layout Randomization in Windows VistaMichael Howard.
https://learn.microsoft.com/en-us/archive/blogs/michael_howard/address-space-layout-randomization-in-windows-vista
REF-59
Limiting buffer overflows with ExecShieldArjan van de Ven.
https://archive.is/saAFo
REF-60
PaXhttps://en.wikipedia.org/wiki/Executable_space_protection#PaX
REF-741
Top 25 Series - Rank 12 - Buffer Access with Incorrect Length ValueJason Lam.
https://web.archive.org/web/20100316043717/http://blogs.sans.org:80/appsecstreetfighter/2010/03/11/top-25-series-rank-12-buffer-access-with-incorrect-length-value/
REF-57
Safe C String Library v1.0.3Matt Messier, John Viega.
http://www.gnu-darwin.org/www001/ports-1.5a-CURRENT/devel/safestr/work/safestr-1.0.3/doc/safestr.html
REF-56
Using the Strsafe.h FunctionsMicrosoft.
https://learn.microsoft.com/en-us/windows/win32/menurc/strsafe-ovw?redirectedfrom=MSDN
REF-61
Understanding DEP as a mitigation technology part 1Microsoft.
https://msrc.microsoft.com/blog/2009/06/understanding-dep-as-a-mitigation-technology-part-1/
REF-76
Least PrivilegeSean Barnum, Michael Gegick.
https://web.archive.org/web/20211209014121/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege
REF-64
Position Independent Executables (PIE)Grant Murphy.
https://www.redhat.com/en/blog/position-independent-executables-pie
REF-1332
Prelink and address space randomizationJohn Richard Moser.
https://lwn.net/Articles/190139/
REF-1333
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLRDmitry Evtyushkin, Dmitry Ponomarev, Nael Abu-Ghazaleh.
http://www.cs.ucr.edu/~nael/pubs/micro16.pdf
REF-1334
Stack Frame Canary Validation (D3-SFCV)D3FEND.
https://d3fend.mitre.org/technique/d3f:StackFrameCanaryValidation/
REF-1335
Segment Address Offset Randomization (D3-SAOR)D3FEND.
https://d3fend.mitre.org/technique/d3f:SegmentAddressOffsetRandomization/
REF-1336
Process Segment Execution Prevention (D3-PSEP)D3FEND.
https://d3fend.mitre.org/technique/d3f:ProcessSegmentExecutionPrevention/
REF-1337
Bypassing Browser Memory Protections: Setting back browser security by 10 yearsAlexander Sotirov and Mark Dowd.
https://www.blackhat.com/presentations/bh-usa-08/Sotirov_Dowd/bh08-sotirov-dowd.pdf
REF-1518
AddressSanitizerhttps://clang.llvm.org/docs/AddressSanitizer.html
Indiening
| Naam | Organisatie | Datum | Releasedatum | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 1.8 |
Wijzigingen
| Naam | Organisatie | Datum | Opmerking |
|---|---|---|---|
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Common_Consequences, Potential_Mitigations, References | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Potential_Mitigations, References, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Potential_Mitigations, References | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Potential_Mitigations | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Description, Detection_Factors, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Potential_Mitigations, References, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Functional_Areas | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Detection_Factors, References |
