CWE-131: Incorrect Calculation of Buffer Size

What is Incorrect Calculation of Buffer Size?

• Overview: Incorrect Calculation of Buffer Size (CWE-131) occurs when a program does not correctly calculate the amount of memory needed for a buffer. This mistake can lead to buffer overflows, where data exceeds the allocated space, potentially causing crashes or allowing attackers to inject malicious code.

• Exploitation Methods:

• Attackers can exploit this vulnerability by providing input that exceeds the calculated buffer size, triggering a buffer overflow.
• Common attack patterns include crafting inputs that overflow the buffer to overwrite adjacent memory, potentially leading to arbitrary code execution or application crashes.

• Security Impact:

• Direct consequences of successful exploitation include unauthorized code execution, application crashes, or data corruption.
• Potential cascading effects include escalating privileges, unauthorized access to sensitive data, and compromise of system integrity.
• Business impact may involve data breaches, loss of customer trust, financial penalties, and damage to the organization's reputation.

• Prevention Guidelines:

• Specific code-level fixes include using functions that safely handle memory allocation and bounds checking, such as strncpy instead of strcpy.
• Security best practices recommend validating all input lengths, employing safe memory allocation functions, and avoiding deprecated or unsafe standard library functions.
• Recommended tools and frameworks include static analysis tools to detect buffer size calculation errors and adopting memory-safe languages or libraries that abstract memory management.

Corgea can automatically detect and fix Incorrect Calculation of Buffer Size in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: C, C++

Affected Technologies: Not specified

Vulnerable Code Example

C Example

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void copy_string(const char *source) {
    // Incorrect buffer size calculation
    char *buffer = (char *)malloc(strlen(source) * sizeof(char)); // Incorrect: no space for null terminator
    if (buffer == NULL) {
        fprintf(stderr, "Memory allocation failed\n");
        return;
    }
    strcpy(buffer, source); // Potential buffer overflow due to missing null terminator space
    printf("Copied string: %s\n", buffer);
    free(buffer);
}

int main() {
    const char *str = "This is a test string.";
    copy_string(str);
    return 0;
}

Explanation:

• Incorrect Buffer Size Calculation: The buffer is allocated with a size equal to the length of the source string, but it does not account for the null terminator (\0), leading to a potential buffer overflow.
• Unsafe String Copying: Using strcpy without ensuring the destination buffer is large enough can cause overflow if the null terminator is not included in the allocation.

How to fix Incorrect Calculation of Buffer Size?

Fixed Code Example

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void copy_string(const char *source) {
    // Correct buffer size calculation, includes space for null terminator
    size_t buffer_size = strlen(source) + 1; // Correct: includes null terminator
    char *buffer = (char *)malloc(buffer_size * sizeof(char));
    if (buffer == NULL) {
        fprintf(stderr, "Memory allocation failed\n");
        return;
    }
    // Safe copying with strncpy, ensuring buffer size is not exceeded
    strncpy(buffer, source, buffer_size);
    // Ensure null termination if strncpy doesn't copy it
    buffer[buffer_size - 1] = '\0';
    printf("Copied string: %s\n", buffer);
    free(buffer);
}

int main() {
    const char *str = "This is a test string.";
    copy_string(str);
    return 0;
}

Key Fixes:

• Correct Buffer Size Calculation: The buffer size is calculated as strlen(source) + 1 to accommodate the null terminator.
• Safe String Copying: strncpy is used to safely copy the string, specifying the buffer size to prevent overflow. The code also ensures the buffer is null-terminated.
• Best Practices: The example follows best practices by checking the result of memory allocation and ensuring the buffer is properly null-terminated after using strncpy.