CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-469: Use of Pointer Subtraction to Determine Size

Weakness ID: 469
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

C

C++

+ Common Consequences
ScopeEffect
Access Control
Integrity
Confidentiality
Availability

Technical Impact: Execute unauthorized code or commands; Gain privileges / assume identity

There is the potential for arbitrary code execution with privileges of the vulnerable program.

+ Likelihood of Exploit

Medium

+ Demonstrative Examples

Example 1

The following example contains the method size that is used to determine the number of nodes in a linked list. The method is passed a pointer to the head of the linked list.

(Bad Code)
Example Languages: C and C++ 
struct node {
int data;
struct node* next;
};

// Returns the number of nodes in a linked list from
// the given pointer to the head of the list.
int size(struct node* head) {
struct node* current = head;
struct node* tail;
while (current != NULL) {
tail = current;
current = current->next;
}
return tail - head;
}

// other methods for manipulating the list
...

However, the method creates a pointer that points to the end of the list and uses pointer subtraction to determine the number of nodes in the list by subtracting the tail pointer from the head pointer. There no guarantee that the pointers exist in the same memory area, therefore using pointer subtraction in this way could return incorrect results and allow other unintended behavior. In this example a counter should be used to determine the number of nodes in the list, as shown in the following code.

(Good Code)
Example Languages: C and C++ 

...

int size(struct node* head) {
struct node* current = head;
int count = 0;
while (current != NULL) {
count++;
current = current->next;
}
return count;
}
+ Potential Mitigations

Phase: Implementation

Save an index variable. This is the recommended solution. Rather than subtract pointers from one another, use an index variable of the same size as the pointers in question. Use this variable to "walk" from one pointer to the other and calculate the difference. Always sanity check this number.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory465Pointer Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class682Incorrect Calculation
Research Concepts (primary)1000
ChildOfCategoryCategory740CERT C Secure Coding Section 06 - Arrays (ARR)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ChildOfCategoryCategory874CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR)
Weaknesses Addressed by the CERT C++ Secure Coding Standard (primary)868
ChildOfCategoryCategory971SFP Secondary Cluster: Faulty Pointer Use
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPImproper pointer subtraction
CERT C Secure CodingARR36-CDo not subtract or compare two pointers that do not refer to the same array
CERT C Secure CodingARR37-CDo not add or subtract an integer to a pointer to a non-array object
CERT C++ Secure CodingARR36-CPPDo not subtract or compare two pointers or iterators that do not refer to the same array or container
CERT C++ Secure CodingARR37-CPPDo not add or subtract an integer to a pointer to a non-array object
Software Fault PatternsSFP7Faulty Pointer Use
+ White Box Definitions

A weakness where code path has:

1. end statement that subtracts pointer1 from pointer2

2. start statement that associates pointer1 with a memory chunk1 and pointer2 to a memory chunk2

3. memory chunk1 is not equal to the memory chunk2

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-08-01KDM AnalyticsExternal
added/updated white box definitions
2008-09-08CWE Content TeamMITREInternal
updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-09-13CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Demonstrative_Examples, Potential_Mitigations
2014-02-18CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-06-23CWE Content TeamMITREInternal
updated Other_Notes
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Improper Pointer Subtraction

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017