Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-805 (使用不正确的长度值访问缓冲区) — Vulnerability Class 36

36 vulnerabilities classified as CWE-805 (使用不正确的长度值访问缓冲区). AI Chinese analysis included.

CWE-805 represents a critical memory safety weakness where software performs sequential read or write operations using an incorrect length value, leading to access beyond the allocated buffer boundaries. This flaw typically manifests when developers miscalculate the size of the destination buffer or fail to validate input lengths against available space, resulting in buffer overflows. Attackers exploit this vulnerability by supplying crafted inputs that exceed expected limits, allowing them to overwrite adjacent memory, corrupt data structures, or execute arbitrary code with elevated privileges. To prevent such incidents, developers must rigorously validate all length parameters before performing memory operations, ensuring they strictly adhere to the actual allocated size. Implementing bounds-checking mechanisms, utilizing safe string handling libraries, and conducting thorough code reviews are essential practices to mitigate the risk of out-of-bounds memory access and maintain application integrity.

MITRE CWE Description
The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer. When the length value exceeds the size of the destination, a buffer overflow could occur.
Common Consequences (2)
Integrity, Confidentiality, AvailabilityRead Memory, Modify Memory, Execute Unauthorized Code or Commands
Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service.
AvailabilityModify Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU)
Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
Mitigations (5)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a lan…
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Operation, Build and CompilationUse automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses…
Effectiveness: Defense in Depth
ImplementationConsider adhering to the following rules when allocating and managing an application's memory: Double check that the buffer is as large as specified. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if accessing the buffer in a…
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Examples (2)
This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.
void host_lookup(char *user_supplied_addr){ struct hostent *hp; in_addr_t *addr; char hostname[64]; in_addr_t inet_addr(const char *cp); /*routine that ensures user_supplied_addr is in the right format for conversion */ validate_addr_form(user_supplied_addr); addr = inet_addr(user_supplied_addr); hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET); strcpy(hostname, hp->h_name); }
Bad · C
In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed:
int returnChunkSize(void *) { /* if chunk info is valid, return the size of usable memory, * else, return -1 to indicate an error */ ... } int main() { ... memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1)); ... }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2021-31885 Siemens Nucleus ReadyStart 安全漏洞 — APOGEE MBC (PPC) (BACnet) 9.8 -2021-11-09
CVE-2021-3581 Buffer Access with Incorrect Length Value in zephyr — zephyr 7.0 High2021-10-05
CVE-2020-10774 Linux kernel 安全漏洞 — kernel 5.5 -2021-05-27
CVE-2020-14509 wibu CodeMeter 安全漏洞 — CodeMeter 9.8 -2020-09-16
CVE-2020-16101 Gallagher Command Centre Server 缓冲区错误漏洞 — Command Centre 7.5 High2020-09-15
CVE-2019-19339 Red Hat Enterprise Linux kpatch 安全漏洞 — kpatch: 6.5 -2020-01-17

Vulnerabilities classified as CWE-805 (使用不正确的长度值访问缓冲区) represent 36 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.