CWE-785: Use of Path Manipulation Function without Maximum-sized Buffer
Use of Path Manipulation Function without Maximum-sized Buffer
Weakness ID: 785 (Weakness Variant)
Status: Incomplete
Description
Description Summary
The software invokes a function for normalizing paths or file
names, but it provides an output buffer that is smaller than the maximum
possible size, such as PATH_MAX.
Extended Description
Passing an inadequately-sized output buffer to a path manipulation
function can result in a buffer overflow. Such functions include realpath(),
readlink(), PathAppend(), and others.
Time of Introduction
Implementation
Applicable Platforms
Languages
C
C++
Demonstrative Examples
Example 1
(Bad Code)
C
char *createOutputDirectory(char *name) {
char outputDirectoryName[128];
if (getCurrentDirectory(128, outputDirectoryName) == 0)
{
return null;
}
if (!PathAppend(outputDirectoryName, "output")) {
return null;
}
if (!PathAppend(outputDirectoryName, name)) {
return null;
}
if (SHCreateDirectoryEx(NULL, outputDirectoryName, NULL) !=
ERROR_SUCCESS) {
return null;
}
return StrDup(outputDirectoryName);
}
In this example the function creates a directory named
"output\<name>" in the current directory and returns a
heap-allocated copy of its name. For most values of the current
directory and the name parameter, this function will work properly.
However, if the name parameter is particularly long, then the second
call to PathAppend() could overflow the outputDirectoryName buffer,
which is smaller than MAX_PATH bytes.
Potential Mitigations
Phase
Description
Implementation
Always specify output buffers large enough to handle the maximum-size
possible result from path manipulation functions.
Background Details
Windows provides a large number of utility functions that manipulate
buffers containing filenames. In most cases, the result is returned in a
buffer that is passed in as input. (Usually the filename is modified in
place.) Most functions require the buffer to be at least MAX_PATH bytes in
length, but you should check the documentation for each function
individually. If the buffer is not large enough to store the result of the
manipulation, a buffer overflow can occur.
1. end statement that passes buffer to path manipulation function
where the size of the buffer is smaller than expected by the path
manipulation function
Maintenance Notes
Much of this entry was originally part of CWE-249, which was deprecated
for several reasons.
This entry is at a much lower level of abstraction than most entries
because it is function-specific. It also has significant overlap with other
entries that can vary depending on the perspective. For example, incorrect
usage could trigger either a stack-based overflow (CWE-121) or a heap-based
overflow (CWE-122). The CWE team has not decided how to handle such
entries.
Content History
Submissions
Submission Date
Submitter
Organization
Source
7 Pernicious Kingdoms
Externally Mined
Modifications
Modification Date
Modifier
Organization
Source
2008-07-01
Eric Dalci
Cigital
External
updated Time of Introduction
2008-08-01
KDM Analytics
External
added/updated white box definitions
2008-09-08
CWE Content Team
MITRE
Internal
updated Applicable Platforms, Relationships, Other Notes,
Taxonomy Mappings
Description
