CWE-467: Use of sizeof() on a Pointer Type

Description

The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the wordsize on a platform. More often than not, the appearance of sizeof(pointer) indicates a bug.

Example Vulnerable Codes

Example - 1

Care should be taken to ensure sizeof returns the size of the data structure itself, and not the size of the pointer to the data structure.

In this example, sizeof(foo) returns the size of the pointer.


double *foo;...foo = (double *)malloc(sizeof(foo));

In this example, sizeof(*foo) returns the size of the data structure and not the size of the pointer.


double *foo;...foo = (double *)malloc(sizeof(*foo));

Example - 2

This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.


// /* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */// 


printf("Auth failure of username using sizeof\n");return(AUTH_FAIL);
// /* Because of CWE-467, the sizeof returns 4 on many platforms and architectures. */// 

printf("Auth success of password using sizeof\n");return(AUTH_SUCCESS);

printf("Auth fail of password using sizeof\n");return(AUTH_FAIL);printf("Sizeof username = %d\n", sizeof(username));printf("Sizeof pass = %d\n", sizeof(pass));if (strncmp(username, inUser, sizeof(username))) {}if (! strncmp(pass, inPass, sizeof(pass))) {}else {}

ExitError("Usage: Provide a username and password");
ExitError("Authentication failed");
DoAuthenticatedTask(argv[1]);int authResult;if (argc < 3) {}authResult = AuthenticateUser(argv[1], argv[2]);if (authResult != AUTH_SUCCESS) {}else {}char *username = "admin";char *pass = "password";int AuthenticateUser(char *inUser, char *inPass) {}int main (int argc, char **argv){}

In AuthenticateUser(), because sizeof() is applied to a parameter with an array type, the sizeof() call might return 4 on many modern architectures. As a result, the strncmp() call only checks the first four characters of the input password, resulting in a partial comparison (CWE-187), leading to improper authentication (CWE-287).

Because of the partial comparison, any of these passwords would still cause authentication to succeed for the "admin" user:


pass5passABCDEFGHpassWORD

Because only 4 characters are checked, this significantly reduces the search space for an attacker, making brute force attacks more feasible.

The same problem also applies to the username, so values such as "adminXYZ" and "administrator" will succeed for the username.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-131: Incorrect Calculation of Buffer Size

Go to

Visit http://cwe.mitre.org/ for more details.