Out-of-Bounds Access¶

Rule ID¶

MI107

Definition¶

The software accesses data past the end, or before the beginning, of the intended buffer.

Example¶

See one of the applicable code examples from CWE.

void host_lookup(char *user_supplied_addr){
struct hostent *hp;
  in_addr_t *addr;
  char hostname[64];
  in_addr_t inet_addr(const char *cp);

  /*routine that ensures user_supplied_addr is in the right format for conversion */

  validate_addr_form(user_supplied_addr);
  addr = inet_addr(user_supplied_addr);
  hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
  strcpy(hostname, hp->h_name);
}

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker.

References¶

Common Weakness Enumeration: CWE-119
Common Weakness Enumeration: CWE-129
Common Weakness Enumeration: CWE-469
Common Weakness Enumeration: CWE-680
Common Weakness Enumeration: CWE-786
Common Weakness Enumeration: CWE-788