CWE-125: Out-of-bounds Read

Description

The product reads data past the end, or before the beginning, of the intended buffer.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Extended Description

Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.

Example Vulnerable Codes

Example - 1

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method


// // check that the array index is less than the maximum// 
// // length of the array// 

// // get the value at the specified index of the array// 
value = array[index];
// // if array index is invalid then output error message// 
// // and return value indicating error// 

printf("Value is: %d\n", array[index]);value = -1;
int value;if (index < len) {}else {}return value;int getValueFromArray(int *array, int len, int index) {}

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.


// // check that the array index is within the correct// 
// // range of values for the array// 
...if (index >= 0 && index < len) {...

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
Go to
CWE-126: Buffer Over-read
Go to
CWE-127: Buffer Under-read
Go to
CWE-822: Untrusted Pointer Dereference
Go to
CWE-823: Use of Out-of-range Pointer Offset
Go to
CWE-824: Access of Uninitialized Pointer
Go to
CWE-825: Expired Pointer Dereference
Go to

Visit http://cwe.mitre.org/ for more details.