CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Description

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

A buffer overflow condition exists when a product attempts to put more data in a buffer than it can hold, or when it attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the product copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.

Example Vulnerable Codes

Example - 1

The following code asks the user to enter their last name and then attempts to store the value entered in the last_name array.


char last_name[20];printf ("Enter your last name: ");scanf ("%s", last_name);

The problem with the code above is that it does not restrict or limit the size of the name entered by the user. If the user enters "Very_very_long_last_name" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total.

Example - 2

The following code attempts to create a local copy of a buffer to perform some manipulations to the data.


char buf[24];strcpy(buf, string);...void manipulate_string(char * string){}

However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter.

Example - 3

The code below calls the gets() function to read in data from the command line.


char buf[24];printf("Please enter your name and press <Enter>\n");gets(buf);...}

However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.

Example - 4

In the following example, a server accepts connections from a client and processes the client request. After accepting a client connection, the program will obtain client information using the gethostbyaddr method, copy the hostname of the client that connected to a local variable and output the hostname of the client to a log file.




clienthp = gethostbyaddr((char*) &clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET);strcpy(hostname, clienthp->h_name);logOutput("Accepted client connection from host ", hostname);// process client request...close(clientsocket);int clientlen = sizeof(struct sockaddr_in);int clientsocket = accept(serversocket, (struct sockaddr *)&clientaddr, &clientlen);if (clientsocket >= 0) {}
struct hostent *clienthp;char hostname[MAX_LEN];// create server socket, bind to server address and listen on socket...// accept client connections and process requestsint count = 0;for (count = 0; count < MAX_CONNECTIONS; count++) {}close(serversocket);
......

However, the hostname of the client that connected may be longer than the allocated size for the local hostname variable. This will result in a buffer overflow when copying the client hostname to the local variable using the strcpy method.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-20: Improper Input Validation

Go to

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Go to

Visit http://cwe.mitre.org/ for more details.