The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array.
Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error.
If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the program. As a result, the attack might change the state of the software as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution.
Untrusted pointer offset:
This term is narrower than the concept of "out-of-range" offset, since
the offset might be the result of a calculation or other error that does
not depend on any externally-supplied values.
Many weaknesses related to pointer dereferences fall under the general
term of "memory corruption" or "memory safety." As of September 2010, there
is no commonly-used terminology that covers the lower-level variants.
Technical Impact: Read memory
If the untrusted pointer is used in a read operation, an attacker
might be able to read sensitive portions of memory.
Technical Impact: DoS: crash / exit /
If the untrusted pointer references a memory location that is not
accessible to the program, or points to a location that is "malformed"
or larger than expected by a read or write operation, the application
may terminate unexpectedly.
Technical Impact: Execute unauthorized code or
commands; Modify memory
If the untrusted pointer is used in a function call, or points to
unexpected data in a write operation, then code execution may be
Under-studied and probably under-reported as of September 2010. This
weakness has been reported in high-visibility software, but applied
vulnerability researchers have only been investigating it since
approximately 2008, and there are only a few public reports. Few reports
identify weaknesses at such a low level, which makes it more difficult to
find and study real-world code examples.
[REF-7] Mark Dowd, John McDonald
and Justin Schuh. "The Art of Software Security Assessment". Chapter 6, "Pointer Arithmetic", Page
277.. 1st Edition. Addison Wesley. 2006.
There are close relationships between incorrect pointer dereferences and
other weaknesses related to buffer operations. There may not be sufficient
community agreement regarding these relationships. Further study is needed
to determine when these relationships are chains, composites,
perspective/layering, or other types of relationships. As of September 2010,
most of the relationships are being captured as chains.