CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-823: Use of Out-of-range Pointer Offset

Weakness ID: 823
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

Extended Description

While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array.

Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error.

If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the program. As a result, the attack might change the state of the software as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution.

+ Alternate Terms
Untrusted pointer offset:

This term is narrower than the concept of "out-of-range" offset, since the offset might be the result of a calculation or other error that does not depend on any externally-supplied values.

+ Terminology Notes

Many weaknesses related to pointer dereferences fall under the general term of "memory corruption" or "memory safety." As of September 2010, there is no commonly-used terminology that covers the lower-level variants.

+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read memory

If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.

Availability

Technical Impact: DoS: crash / exit / restart

If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly.

Integrity
Confidentiality
Availability

Technical Impact: Execute unauthorized code or commands; Modify memory

If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.

+ Observed Examples
ReferenceDescription
Invalid offset in undocumented opcode leads to memory corruption.
Multimedia player uses untrusted value from a file when using file-pointer calculations.
Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
Instant messaging library does not validate an offset value specified in a packet.
Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
negative offset leads to out-of-bounds read
untrusted offset in kernel
"blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
negative value (signed) causes pointer miscalculation
signed values cause incorrect pointer calculation
values used as pointer offsets
a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
portions of a GIF image used as offsets, causing corruption of an object pointer.
invalid numeric field leads to a free of arbitrary memory locations, then code execution.
large number of elements leads to a free of an arbitrary address
array index issue (CWE-129) with negative offset, used to dereference a function pointer
"buffer seek" value - basically an offset?
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class119Improper Restriction of Operations within the Bounds of a Memory Buffer
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory465Pointer Issues
Development Concepts699
CanPrecedeWeakness BaseWeakness Base125Out-of-bounds Read
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base787Out-of-bounds Write
Research Concepts1000
CanFollowWeakness BaseWeakness Base129Improper Validation of Array Index
Research Concepts1000
+ Research Gaps

Under-studied and probably under-reported as of September 2010. This weakness has been reported in high-visibility software, but applied vulnerability researchers have only been investigating it since approximately 2008, and there are only a few public reports. Few reports identify weaknesses at such a low level, which makes it more difficult to find and study real-world code examples.

+ References
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 6, "Pointer Arithmetic", Page 277.. 1st Edition. Addison Wesley. 2006.
+ Maintenance Notes

There are close relationships between incorrect pointer dereferences and other weaknesses related to buffer operations. There may not be sufficient community agreement regarding these relationships. Further study is needed to determine when these relationships are chains, composites, perspective/layering, or other types of relationships. As of September 2010, most of the relationships are being captured as chains.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2010-09-22MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017