CWE-468 不正确的指针放大
Incorrect Pointer Scaling
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: Medium
基本描述
In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.
相关缺陷
- cwe_Nature: ChildOf cwe_CWE_ID: 682 cwe_View_ID: 1000 cwe_Ordinal: Primary
适用平台
Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Confidentiality', 'Integrity'] | ['Read Memory', 'Modify Memory'] | Incorrect pointer scaling will often result in buffer overflow conditions. Confidentiality can be compromised if the weakness is in the context of a buffer over-read or under-read. |
可能的缓解方案
Architecture and Design
策略:
Use a platform with high-level memory abstractions.
Implementation
策略:
Always use array indexing instead of direct pointer manipulation.
Architecture and Design
策略:
Use technologies for preventing buffer overflows.
示例代码
例
This example attempts to calculate the position of the second byte of a pointer.
bad C
char * second_char = (char )(p + 1);
In this example, second_char is intended to point to the second byte of p. But, adding 1 to p actually adds sizeof(int) to p, giving a result that is incorrect (3 bytes off on 32-bit platforms). If the resulting memory address is read, this could potentially be an information leak. If it is a write, it could be a security-critical write to unauthorized memory-- whether or not it is a buffer overflow. Note that the above code may also be wrong in other ways, particularly in a little endian environment.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Unintentional pointer scaling | ||
| CERT C Secure Coding | ARR39-C | Exact | Do not add or subtract a scaled integer to a pointer |
| CERT C Secure Coding | EXP08-C | Ensure pointer arithmetic is used correctly | |
| Software Fault Patterns | SFP1 | Glitch in computation |