CWE-467 在指针类型上使用sizeof()
Use of sizeof() on a Pointer Type
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: High
基本描述
The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.
扩展描述
The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the wordsize on a platform. More often than not, the appearance of sizeof(pointer) indicates a bug.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 682 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 131 cwe_View_ID: 1000
适用平台
Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Integrity', 'Confidentiality'] | ['Modify Memory', 'Read Memory'] | This error can often cause one to allocate a buffer that is much smaller than what is needed, leading to resultant weaknesses such as buffer overflows. |
可能的缓解方案
Implementation
策略:
Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack.
示例代码
例
Care should be taken to ensure sizeof returns the size of the data structure itself, and not the size of the pointer to the data structure.
In this example, sizeof(foo) returns the size of the pointer.
bad C
...
foo = (double )malloc(sizeof(foo));
In this example, sizeof(*foo) returns the size of the data structure and not the size of the pointer.
good C
...
foo = (double )malloc(sizeof(*foo));
例
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
bad
/ Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. /
char username = "admin";
char pass = "password";
int AuthenticateUser(char inUser, char inPass) {
printf("Sizeof pass = %d\n", sizeof(pass));
if (strncmp(username, inUser, sizeof(username))) {
return(AUTH_FAIL);
/ Because of CWE-467, the sizeof returns 4 on many platforms and architectures. /
if (! strncmp(pass, inPass, sizeof(pass))) {
return(AUTH_SUCCESS);
else {
return(AUTH_FAIL);
int main (int argc, char **argv)
{
if (argc < 3) {
authResult = AuthenticateUser(argv[1], argv[2]);
if (authResult != AUTH_SUCCESS) {
else {
In AuthenticateUser(), because sizeof() is applied to a parameter with an array type, the sizeof() call might return 4 on many modern architectures. As a result, the strncmp() call only checks the first four characters of the input password, resulting in a partial comparison (CWE-187), leading to improper authentication (CWE-287).
Because of the partial comparison, any of these passwords would still cause authentication to succeed for the "admin" user:
attack
passABCDEFGH
passWORD
Because only 4 characters are checked, this significantly reduces the search space for an attacker, making brute force attacks more feasible.
The same problem also applies to the username, so values such as "adminXYZ" and "administrator" will succeed for the username.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Use of sizeof() on a pointer type | ||
| CERT C Secure Coding | ARR01-C | Do not apply the sizeof operator to a pointer when taking the size of an array | |
| CERT C Secure Coding | MEM35-C | CWE More Abstract | Allocate sufficient memory for an object |
| Software Fault Patterns | SFP10 | Incorrect Buffer Length Computation |