CWE-467: Use of sizeof() on a Pointer Type

Description

The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to.

Extended Description

The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the wordsize on a platform. More often than not, the appearance of sizeof(pointer) indicates a bug.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Modify Memory, Read Memory — Notes: This error can often cause one to allocate a buffer that is much smaller than what is needed, leading to resultant weaknesses such as buffer overflows.

Potential Mitigations

Implementation: Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack. (N/A)

Applicable Platforms

C (N/A, Undetermined)
C++ (N/A, Undetermined)

Demonstrative Examples

Intro: Care should be taken to ensure sizeof returns the size of the data structure itself, and not the size of the pointer to the data structure.

Body: In this example, sizeof(foo) returns the size of the pointer.

double *foo; ... foo = (double *)malloc(sizeof(foo));

Intro: This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.

Body: In AuthenticateUser(), because sizeof() is applied to a parameter with an array type, the sizeof() call might return 4 on many modern architectures. As a result, the strncmp() call only checks the first four characters of the input password, resulting in a partial comparison (CWE-187), leading to improper authentication (CWE-287).

/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ char *username = "admin"; char *pass = "password"; int AuthenticateUser(char *inUser, char *inPass) { printf("Sizeof username = %d\n", sizeof(username)); printf("Sizeof pass = %d\n", sizeof(pass)); if (strncmp(username, inUser, sizeof(username))) { printf("Auth failure of username using sizeof\n"); return(AUTH_FAIL); } /* Because of CWE-467, the sizeof returns 4 on many platforms and architectures. */ if (! strncmp(pass, inPass, sizeof(pass))) { printf("Auth success of password using sizeof\n"); return(AUTH_SUCCESS); } else { printf("Auth fail of password using sizeof\n"); return(AUTH_FAIL); } } int main (int argc, char **argv) { int authResult; if (argc < 3) { ExitError("Usage: Provide a username and password"); } authResult = AuthenticateUser(argv[1], argv[2]); if (authResult != AUTH_SUCCESS) { ExitError("Authentication failed"); } else { DoAuthenticatedTask(argv[1]); } }

Notes

No notes available.

← Back to CWE list