Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-469:Use of Pointer Subtraction to Determine Size
Weakness ID:469
Version:v4.17
Weakness Name:Use of Pointer Subtraction to Determine Size
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Draft
Likelihood of Exploit:Medium
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfDiscouragedP682Incorrect Calculation
Nature: ChildOf
Mapping: Discouraged
Type: Pillar
ID: 682
Name: Incorrect Calculation
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC465Pointer Issues
MemberOfProhibitedC740CERT C Secure Coding Standard (2008) Chapter 7 - Arrays (ARR)
MemberOfProhibitedC874CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR)
MemberOfProhibitedV884CWE Cross-section
MemberOfProhibitedC971SFP Secondary Cluster: Faulty Pointer Use
MemberOfProhibitedC1160SEI CERT C Coding Standard - Guidelines 06. Arrays (ARR)
MemberOfProhibitedC1408Comprehensive Categorization: Incorrect Calculation
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 465
Name: Pointer Issues
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 740
Name: CERT C Secure Coding Standard (2008) Chapter 7 - Arrays (ARR)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 874
Name: CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR)
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 884
Name: CWE Cross-section
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 971
Name: SFP Secondary Cluster: Faulty Pointer Use
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1160
Name: SEI CERT C Coding Standard - Guidelines 06. Arrays (ARR)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1408
Name: Comprehensive Categorization: Incorrect Calculation
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-273Medium likelihood of exploit
MemberOfProhibitedBSBOSS-311Execute Unauthorized Code or Commands (impact)
MemberOfProhibitedBSBOSS-323Read Memory (impact)
MemberOfProhibitedBSBOSS-331Modify Memory (impact)
MemberOfProhibitedBSBOSS-332Gain Privileges or Assume Identity (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-273
Name: Medium likelihood of exploit
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-311
Name: Execute Unauthorized Code or Commands (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-323
Name: Read Memory (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-331
Name: Modify Memory (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-332
Name: Gain Privileges or Assume Identity (impact)
▼Relevant To View
Relevant to the view"Weaknesses Addressed by the SEI CERT C Coding Standard - (1154)"
NatureMappingTypeIDName
MemberOfProhibitedC1160SEI CERT C Coding Standard - Guidelines 06. Arrays (ARR)
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1160
Name: SEI CERT C Coding Standard - Guidelines 06. Arrays (ARR)
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC465Pointer Issues
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 465
Name: Pointer Issues
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC971SFP Secondary Cluster: Faulty Pointer Use
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 971
Name: SFP Secondary Cluster: Faulty Pointer Use
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
Access ControlIntegrityConfidentialityAvailabilityN/AModify MemoryRead MemoryExecute Unauthorized Code or CommandsGain Privileges or Assume Identity

There is the potential for arbitrary code execution with privileges of the vulnerable program.

Scope: Access Control, Integrity, Confidentiality, Availability
Likelihood: N/A
Impact: Modify Memory, Read Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity
Note:

There is the potential for arbitrary code execution with privileges of the vulnerable program.

▼Potential Mitigations
Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Save an index variable. This is the recommended solution. Rather than subtract pointers from one another, use an index variable of the same size as the pointers in question. Use this variable to "walk" from one pointer to the other and calculate the difference. Always validate this number.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: C(Undetermined Prevalence)
Class: C++(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

The following example contains the method size that is used to determine the number of nodes in a linked list. The method is passed a pointer to the head of the linked list.

Language: ( code)
N/A

Language: C(Bad code)
struct node { int data; struct node* next; }; // Returns the number of nodes in a linked list from* *// the given pointer to the head of the list.* int size(struct node* head) { struct node* current = head; struct node* tail; while (current != NULL) { tail = current; current = current->next; } return tail - head; } // other methods for manipulating the list* ...

Language: ( code)
N/A

However, the method creates a pointer that points to the end of the list and uses pointer subtraction to determine the number of nodes in the list by subtracting the tail pointer from the head pointer. There no guarantee that the pointers exist in the same memory area, therefore using pointer subtraction in this way could return incorrect results and allow other unintended behavior. In this example a counter should be used to determine the number of nodes in the list, as shown in the following code.

Language: C(Good code)
... int size(struct node* head) { struct node* current = head; int count = 0; while (current != NULL) { count++; current = current->next; } return count; }

▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      Fuzzing
      Detection Method ID:DM-13
      Description:

      Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.

      Effectiveness:High
      Note:

      N/A

      Automated Static Analysis
      Detection Method ID:DM-14
      Description:

      Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

      Effectiveness:High
      Note:

      N/A

      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      CLASPN/AN/AImproper pointer subtraction
      CERT C Secure CodingARR36-CExactDo not subtract or compare two pointers that do not refer to the same array
      Software Fault PatternsSFP7N/AFaulty Pointer Use
      Taxonomy Name: CLASP
      Entry ID: N/A
      Fit: N/A
      Entry Name: Improper pointer subtraction
      Taxonomy Name: CERT C Secure Coding
      Entry ID: ARR36-C
      Fit: Exact
      Entry Name: Do not subtract or compare two pointers that do not refer to the same array
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP7
      Fit: N/A
      Entry Name: Faulty Pointer Use
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-18
      Title: The CLASP Application Security Process
      Author: Secure Software, Inc.
      Section:
      Publication:
      Publisher:
      Edition:
      URL:https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
      URL Date:2024-11-17
      Day:N/A
      Month:N/A
      Year:2005
      Details not found