Page History

In this noncompliant code example, integer values returned by {{parseint(getdata())}} are stored into an array of {{INTBUFSIZE}} elements of type {{int}} called {{buf}} \[[Dowd 06|AA. References#DowdBibliography#Dowd 06]\].  If data is available for insertion into {{buf}} (which is indicated by {{havedata()}}) and {{buf_ptr}} has not been incremented past {{buf + sizeof(buf)}}, an integer value is stored at the address referenced by {{buf_ptr}}. However, the {{sizeof}} operator returns the total number of bytes in {{buf}}, which is typically a multiple of the number of elements in {{buf}}. This value is scaled to the size of an integer and added to {{buf}}. As a result, the check to make sure integers are not written past the end of {{buf}} is incorrect and a buffer overflow is possible.

A similar situation occurred in OpenBSD's {{make}} command \[[Murenin  07|AA. References#MureninBibliography#Murenin 07]\].

\[[Dowd 06|AA. References#DowdBibliography#Dowd 06]\] Chapter 6, "C Language Issues"
\[[ISO/IEC PDTR 24772|AA. References#ISOBibliography#ISO/IEC PDTR 24772]\] "HFC Pointer casting and pointer type changes" and "RVG Pointer Arithmetic"
\[[MISRA 04|AA. References#MISRABibliography#MISRA 04]\] Rules 17.1-17.4
\[[MITRE 07|AA. References#MITREBibliography#MITRE 07]\] [CWE ID 468|http://cwe.mitre.org/data/definitions/468.html], "Incorrect Pointer Scaling"
\[[Murenin  07|AA. References#MureninBibliography#Murenin 07]\]