CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-125: Out-of-bounds Read

 
Out-of-bounds Read
Weakness ID: 125 (Weakness Base)Status: Draft
+ Description

Description Summary

The software reads data past the end, or before the beginning, of the intended buffer.

Extended Description

This typically occurs when the pointer or its index is incremented or decremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in corruption of sensitive information, a crash, or code execution among other things.

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

C

C++

+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read memory

+ Demonstrative Examples

Example 1

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method

(Bad Code)
Example Language:
int getValueFromArray(int *array, int len, int index) {

int value;

// check that the array index is less than the maximum
// length of the array
if (index < len) {

// get the value at the specified index of the array
value = array[index];
}
// if array index is invalid then output error message
// and return value indicating error
else {
printf("Value is: %d\n", array[index]);
value = -1;
}

return value;
}

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.

(Good Code)
Example Language:

...

// check that the array index is within the correct
// range of values for the array
if (index <= 0 && index < len) {

...
+ Observed Examples
ReferenceDescription
CVE-2004-0112out-of-bounds read due to improper length check
CVE-2004-0183packet with large number of specified elements cause out-of-bounds read.
CVE-2004-0221packet with large number of specified elements cause out-of-bounds read.
CVE-2004-0184out-of-bounds read, resultant from integer underflow
CVE-2004-1940large length value causes out-of-bounds read
CVE-2004-0421malformed image causes out-of-bounds read
+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class119Improper Restriction of Operations within the Bounds of a Memory Buffer
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory890SFP Cluster: Memory Access
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant126Buffer Over-read
Development Concepts699
Research Concepts1000
ParentOfWeakness VariantWeakness Variant127Buffer Under-read
Development Concepts699
Research Concepts1000
CanFollowWeakness BaseWeakness Base822Untrusted Pointer Dereference
Research Concepts1000
CanFollowWeakness BaseWeakness Base823Use of Out-of-range Pointer Offset
Research Concepts1000
CanFollowWeakness BaseWeakness Base824Access of Uninitialized Pointer
Research Concepts1000
CanFollowWeakness BaseWeakness Base825Expired Pointer Dereference
Research Concepts1000
+ Research Gaps

Under-studied and under-reported. Most issues are probably labeled as buffer overflows.

+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVEROut-of-bounds Read
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 5: Buffer Overruns." Page 89. McGraw-Hill. 2010.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
2009-10-29CWE Content TeamMITREInternal
updated Description
2010-09-27CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Demonstrative_Examples, References, Relationships
Page Last Updated: February 18, 2014