CWE-467: Use of sizeof() on a Pointer Type
Learn about CWE-467 (Use of sizeof() on a Pointer Type), its security impact, exploitation methods, and prevention guidelines.
What is Use of sizeof() on a Pointer Type?
• Overview: This vulnerability occurs when the sizeof() operator is used on a pointer type, leading to incorrect size calculations. Developers might mistakenly use sizeof() to determine the size of the data being pointed to, rather than the size of the pointer itself.
• Exploitation Methods:
- Attackers can exploit this by causing buffer overflows or underflows if the incorrect size leads to improper memory allocation or data handling.
- Common attack patterns include manipulating memory operations or exploiting incorrect assumptions about data size.
• Security Impact:
- Direct consequences include memory corruption, unexpected behavior, or crashes.
- Potential cascading effects involve compromising data integrity and allowing unauthorized access to sensitive information.
- Business impact may include data breaches, loss of customer trust, and costly remediation efforts.
• Prevention Guidelines:
- Specific code-level fixes include ensuring that sizeof() is used on the correct data type, typically by dereferencing the pointer (e.g., sizeof(*pointer)) to get the size of the data.
- Security best practices involve thorough code reviews and testing to identify incorrect size calculations.
- Recommended tools and frameworks include static analysis tools that can detect improper use of sizeof() and automated testing frameworks to validate memory operations.
Technical Details
Likelihood of Exploit:
Affected Languages: C, C++
Affected Technologies: Not specified
Vulnerable Code Example
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void copy_string(const char *source) {
char *buffer;
// Incorrect use of sizeof() on the pointer type
// This line incorrectly calculates the size of the buffer
buffer = (char *)malloc(sizeof(buffer)); // Allocates memory only for the pointer size
if (buffer == NULL) {
fprintf(stderr, "Memory allocation failed\n");
return;
}
// This might lead to buffer overflow if source is larger than buffer
strcpy(buffer, source); // Copies source into an inadequately sized buffer
printf("Copied string: %s\n", buffer);
free(buffer);
}
int main() {
const char *my_string = "Hello, World!";
copy_string(my_string);
return 0;
}
How to fix Use of sizeof() on a Pointer Type?
The vulnerability arises from using sizeof() on a pointer, which returns the size of the pointer itself, not the size of the data it points to. This often leads to allocating insufficient memory, causing buffer overflows if the data exceeds the allocated size. To fix this, calculate the size of the data to be stored, including space for the null terminator, when allocating memory.
Fixed Code Example
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void copy_string(const char *source) {
char *buffer;
// Corrected memory allocation using strlen() to determine the data size
buffer = (char *)malloc(strlen(source) + 1); // Allocates memory for the string length plus null terminator
if (buffer == NULL) {
fprintf(stderr, "Memory allocation failed\n");
return;
}
// Now buffer is correctly sized to hold the source string
strcpy(buffer, source); // Safely copies the source string into the buffer
printf("Copied string: %s\n", buffer);
free(buffer);
}
int main() {
const char *my_string = "Hello, World!";
copy_string(my_string);
return 0;
}
In the fixed code, malloc(strlen(source) + 1) is used to allocate memory for the buffer. This ensures that the buffer is correctly sized to hold the entire string plus the null terminator. This simple but crucial change prevents the potential for buffer overflow, thereby addressing the security vulnerability. Additionally, proper error checking and resource management are demonstrated by checking the result of malloc and freeing the allocated memory.