CWE-469: Use of Pointer Subtraction to Determine Size
Description
The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Example - 1
The following example contains the method size that is used to determine the number of nodes in a linked list. The method is passed a pointer to the head of the linked list.
int data;struct node* next;
// // Returns the number of nodes in a linked list from//
// // the given pointer to the head of the list.//
tail = current;current = current->next;
struct node* current = head;struct node* tail;while (current != NULL) {}return tail - head;
// // other methods for manipulating the list//
struct node {};int size(struct node* head) {}...However, the method creates a pointer that points to the end of the list and uses pointer subtraction to determine the number of nodes in the list by subtracting the tail pointer from the head pointer. There no guarantee that the pointers exist in the same memory area, therefore using pointer subtraction in this way could return incorrect results and allow other unintended behavior. In this example a counter should be used to determine the number of nodes in the list, as shown in the following code.
count++;current = current->next;
struct node* current = head;int count = 0;while (current != NULL) {}return count;...int size(struct node* head) {}Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.