CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-135: Incorrect Calculation of Multi-Byte String Length

 
Incorrect Calculation of Multi-Byte String Length
Weakness ID: 135 (Weakness Base)Status: Draft
+ Description

Description Summary

The software does not correctly calculate the length of strings that can contain wide or multi-byte characters.
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

C

C++

+ Common Consequences
ScopeEffect

Technical Impact: Execute unauthorized code or commands

This weakness may lead to a buffer overflow. Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service.

Technical Impact: Read memory; DoS: crash / exit / restart; DoS: resource consumption (CPU); DoS: resource consumption (memory)

Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.

Technical Impact: Read memory

In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.

+ Enabling Factors for Exploitation

There are several ways in which improper string length checking may result in an exploitable condition. All of these, however, involve the introduction of buffer overflow conditions in order to reach an exploitable state.

The first of these issues takes place when the output of a wide or multi-byte character string, string-length function is used as a size for the allocation of memory. While this will result in an output of the number of characters in the string, note that the characters are most likely not a single byte, as they are with standard character strings. So, using the size returned as the size sent to new or malloc and copying the string to this newly allocated memory will result in a buffer overflow.

Another common way these strings are misused involves the mixing of standard string and wide or multi-byte string functions on a single string. Invariably, this mismatched information will result in the creation of a possibly exploitable buffer overflow condition.

+ Demonstrative Examples

Example 1

The following example would be exploitable if any of the commented incorrect malloc calls were used.

(Bad Code)
Example Language:
#include <stdio.h>
#include <strings.h>
#include <wchar.h>

int main() {

wchar_t wideString[] = L"The spazzy orange tiger jumped " \
"over the tawny jaguar.";
wchar_t *newString;

printf("Strlen() output: %d\nWcslen() output: %d\n",
strlen(wideString), wcslen(wideString));

/* Wrong because the number of chars in a string isn't related to its length in bytes //
newString = (wchar_t *) malloc(strlen(wideString));
*/

/* Wrong because wide characters aren't 1 byte long! //
newString = (wchar_t *) malloc(wcslen(wideString));
*/

/* Wrong because wcslen does not include the terminating null */
newString = (wchar_t *) malloc(wcslen(wideString) * sizeof(wchar_t));

/* correct! */
newString = (wchar_t *) malloc((wcslen(wideString) + 1) * sizeof(wchar_t));

/* ... */
}

The output from the printf() statement would be:

(Result)
 
Strlen() output: 0
Wcslen() output: 53
+ Potential Mitigations

Phase: Implementation

Strategy: Input Validation

Always verify the length of the string unit character.

Phase: Implementation

Strategy: Libraries or Frameworks

Use length computing functions (e.g. strlen, wcslen, etc.) appropriately with their equivalent type (e.g.: byte, wchar_t, etc.)

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory133String Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class682Incorrect Calculation
Research Concepts (primary)1000
ChildOfCategoryCategory741CERT C Secure Coding Section 07 - Characters and Strings (STR)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ChildOfCategoryCategory857CERT Java Secure Coding Section 12 - Input Output (FIO)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory890SFP Cluster: Memory Access
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPImproper string length checking
CERT C Secure CodingSTR33-CSize wide character strings correctly
CERT Java Secure CodingFIO10-JEnsure the array is filled when using read() to fill an array
+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 5, "Unicode and ANSI Buffer Size Mismatches" Page 153. 2nd Edition. Microsoft. 2002.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Contributions
Contribution DateContributorOrganizationSource
2010-01-11UnitrendsFeedback
correction to Demonstrative_Example
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08MITREInternal
updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings
2008-11-24MITREInternal
updated Relationships, Taxonomy_Mappings
2009-05-27MITREInternal
updated Description
2010-02-16MITREInternal
updated Demonstrative_Examples, References
2011-06-01MITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
2012-10-30MITREInternal
updated Potential_Mitigations
2014-06-23MITREInternal
updated Enabling_Factors_for_Exploitation, Other_Notes
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Improper String Length Checking
Page Last Updated: June 23, 2014