The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to.
The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the wordsize on a platform. More often than not, the appearance of sizeof(pointer) indicates a bug.
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| ChildOf | Allowed | B | 131 | Incorrect Calculation of Buffer Size |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 737 | CERT C Secure Coding Standard (2008) Chapter 4 - Expressions (EXP) |
| MemberOf | Prohibited | C | 740 | CERT C Secure Coding Standard (2008) Chapter 7 - Arrays (ARR) |
| MemberOf | Prohibited | C | 874 | CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR) |
| MemberOf | Prohibited | V | 884 | CWE Cross-section |
| MemberOf | Prohibited | C | 974 | SFP Secondary Cluster: Incorrect Buffer Length Computation |
| MemberOf | Prohibited | C | 1162 | SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM) |
| MemberOf | Prohibited | C | 1408 | Comprehensive Categorization: Incorrect Calculation |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | BS | BOSS-274 | High likelihood of exploit |
| MemberOf | Prohibited | BS | BOSS-323 | Read Memory (impact) |
| MemberOf | Prohibited | BS | BOSS-331 | Modify Memory (impact) |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1162 | SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM) |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 974 | SFP Secondary Cluster: Incorrect Buffer Length Computation |
| Scope | Likelihood | Impact | Note |
|---|---|---|---|
| IntegrityConfidentiality | N/A | Modify MemoryRead Memory | This error can often cause one to allocate a buffer that is much smaller than what is needed, leading to resultant weaknesses such as buffer overflows. |
This error can often cause one to allocate a buffer that is much smaller than what is needed, leading to resultant weaknesses such as buffer overflows.
Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack.
N/A
Care should be taken to ensure sizeof returns the size of the data structure itself, and not the size of the pointer to the data structure.
In this example, sizeof(foo) returns the size of the pointer.
In this example, sizeof(*foo) returns the size of the data structure and not the size of the pointer.
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
In AuthenticateUser(), because sizeof() is applied to a parameter with an array type, the sizeof() call might return 4 on many modern architectures. As a result, the strncmp() call only checks the first four characters of the input password, resulting in a partial comparison (CWE-187), leading to improper authentication (CWE-287).
Because of the partial comparison, any of these passwords would still cause authentication to succeed for the "admin" user:
Because only 4 characters are checked, this significantly reduces the search space for an attacker, making brute force attacks more feasible.
The same problem also applies to the username, so values such as "adminXYZ" and "administrator" will succeed for the username.
| Reference | Description |
|---|
| Ordinality | Description |
|---|---|
| Primary | N/A |
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
N/A
This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
| Taxonomy Name | Entry ID | Fit | Entry Name |
|---|---|---|---|
| CLASP | N/A | N/A | Use of sizeof() on a pointer type |
| CERT C Secure Coding | ARR01-C | N/A | Do not apply the sizeof operator to a pointer when taking the size of an array |
| CERT C Secure Coding | MEM35-C | CWE More Abstract | Allocate sufficient memory for an object |
| Software Fault Patterns | SFP10 | N/A | Incorrect Buffer Length Computation |
| ID | Name |
|---|