Skip to content

Out-of-Bounds Access

Rule ID

MI107

Definition

The software accesses data past the end, or before the beginning, of the intended buffer.

Example

See one of the applicable code examples from CWE.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
void host_lookup(char *user_supplied_addr){
struct hostent *hp;
  in_addr_t *addr;
  char hostname[64];
  in_addr_t inet_addr(const char *cp);

  /*routine that ensures user_supplied_addr is in the right format for conversion */

  validate_addr_form(user_supplied_addr);
  addr = inet_addr(user_supplied_addr);
  hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
  strcpy(hostname, hp->h_name);
}

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker.

References

  • Common Weakness Enumeration: CWE-119
  • Common Weakness Enumeration: CWE-129
  • Common Weakness Enumeration: CWE-469
  • Common Weakness Enumeration: CWE-680
  • Common Weakness Enumeration: CWE-786
  • Common Weakness Enumeration: CWE-788