CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Learn about CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')), its security impact, exploitation methods, and prevention guidelines.
What is Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')?
• Overview: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') occurs when a program copies data into a buffer without ensuring the data fits, leading to potential overflows that overwrite adjacent memory.
• Exploitation Methods:
- Attackers can exploit this by providing input data that exceeds the buffer's capacity, overwriting memory areas.
- Common attack patterns include injecting malicious code or altering the program's execution flow, often through techniques like stack smashing.
• Security Impact:
- Direct consequences include arbitrary code execution, crashing the program, or data corruption.
- Potential cascading effects involve unauthorized access, system compromise, or denial of service.
- Business impact could result in data breaches, loss of customer trust, and legal consequences.
• Prevention Guidelines:
- Specific code-level fixes include using safe functions like strncpy() instead of strcpy(), and always checking buffer sizes.
- Security best practices involve performing input validation and boundary checks consistently.
- Recommended tools and frameworks include static analysis tools to detect overflow vulnerabilities and adopting languages or libraries that offer built-in buffer management.
Technical Details
Likelihood of Exploit:
Affected Languages: C, C++, Assembly
Affected Technologies: Not specified
Vulnerable Code Example
Below is the improved content with corrections and enhancements to demonstrate the vulnerability and fix clearly, following best practices and proper formatting.
#include <stdio.h>
#include <string.h>
// This function is vulnerable to buffer overflow
void copy_input(char *input) {
char buffer[10];
// Vulnerable line: strcpy does not check the size of the input
// If input is longer than 9 characters, it will overflow buffer
strcpy(buffer, input); // Potential buffer overflow
printf("Buffer content: %s\n", buffer);
}
int main() {
char user_input[100];
printf("Enter input: ");
fgets(user_input, sizeof(user_input), stdin);
// Removing newline character from fgets
user_input[strcspn(user_input, "\n")] = 0;
copy_input(user_input);
return 0;
}
How to fix Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')?
To fix the buffer overflow vulnerability, we need to ensure that the buffer is large enough to store the input data or truncate the input data to fit into the buffer safely. The strncpy function can be used instead of strcpy because it allows specifying the maximum number of characters to copy, preventing overflow. Additionally, it's crucial to ensure that the destination buffer is null-terminated after using strncpy, as it does not guarantee null termination if the source string is longer than the specified length. This fix prevents the buffer overflow by controlling the amount of data copied.
Fixed Code Example
#include <stdio.h>
#include <string.h>
// This function safely copies input to the buffer
void copy_input(char *input) {
char buffer[10];
// Fixed line: Use strncpy to limit the number of characters copied
// This ensures no more than 9 characters are copied, leaving space for null terminator
strncpy(buffer, input, sizeof(buffer) - 1);
// Manually null-terminate to ensure buffer contains a valid C-string
buffer[sizeof(buffer) - 1] = '\0';
printf("Buffer content: %s\n", buffer);
}
int main() {
char user_input[100];
printf("Enter input: ");
fgets(user_input, sizeof(user_input), stdin);
// Removing newline character from fgets
user_input[strcspn(user_input, "\n")] = 0;
copy_input(user_input);
return 0;
}
Explanation:
In the fixed code:
strncpyis used instead ofstrcpyto prevent buffer overflow by explicitly specifying the maximum number of characters to copy, which issizeof(buffer) - 1.- The buffer is manually null-terminated to ensure it contains a valid C-string, enhancing the program's reliability and security.
- Comments have been added to explain both the vulnerability and the fix thoroughly.