Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-467 (在指针类型上使用sizeof()) — Vulnerability Class 2

2 vulnerabilities classified as CWE-467 (在指针类型上使用sizeof()). AI Chinese analysis included.

CWE-467 represents a logical error where developers incorrectly apply the sizeof operator to a pointer variable rather than the underlying data structure it references. This weakness typically arises when programmers assume sizeof returns the size of the pointed-to array or object, leading to severe buffer overflows or underflows during memory allocation and copying operations. Attackers exploit this miscalculation by triggering out-of-bounds memory accesses, potentially achieving arbitrary code execution or causing application crashes through denial of service. To prevent this vulnerability, developers must explicitly pass the correct data type or array length to sizeof, ensuring the calculation reflects the actual memory footprint of the target data. Rigorous static analysis tools and code reviews are essential for identifying these subtle pointer arithmetic errors before deployment, thereby maintaining memory safety and application integrity.

MITRE CWE Description
The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to. The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the wordsize on a platform. More often than not, the appearance of sizeof(pointer) indicates a bug.
Common Consequences (1)
Integrity, ConfidentialityModify Memory, Read Memory
This error can often cause one to allocate a buffer that is much smaller than what is needed, leading to resultant weaknesses such as buffer overflows.
Mitigations (1)
ImplementationUse expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack.
Examples (2)
Care should be taken to ensure sizeof returns the size of the data structure itself, and not the size of the pointer to the data structure.
double *foo; ... foo = (double *)malloc(sizeof(foo));
Bad · C
double *foo; ... foo = (double *)malloc(sizeof(*foo));
Good · C
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */ char *username = "admin"; char *pass = "password"; int AuthenticateUser(char *inUser, char *inPass) { printf("Sizeof username = %d\n", sizeof(username)); printf("Sizeof pass = %d\n", sizeof(pass)); if (strncmp(username, inUser, sizeof(username))) { printf("Auth failure of username using sizeof\n"); return(AUTH_FAIL); } /* Because of CWE-467, the sizeof returns 4 on many platforms and architectures. */ if (! strncmp(pass, inPass, sizeof(pass))) { printf("Auth success of password
Bad · C
pass5 passABCDEFGH passWORD
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2025-33132 Fixes to common vulnerabilities found in IBM Db2 High Performance Unload — DB2 High Performance Unload 6.5 Medium2025-10-27
CVE-2020-1638 Junos OS & Junos OS Evolved: A specific IPv4 packet can lead to FPC restart. — Junos OS 7.5 High2020-04-08

Vulnerabilities classified as CWE-467 (在指针类型上使用sizeof()) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.