CWE-127: Buffer Under-read

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method

Vulnerable example

int getValueFromArray(int *array, int len, int index) {

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in reading data before the beginning of the buffer (CWE-127) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Automated Static Analysis

Automated Dynamic Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-127?

What CVEs are caused by CWE-127?

How is CWE-127 detected?

What are the consequences of CWE-127?

Is CWE-127 actively exploited?

References

Stay ahead of CWE-127

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Automated Static Analysis

Automated Dynamic Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-127?

What CVEs are caused by CWE-127?

How is CWE-127 detected?

What are the consequences of CWE-127?

Is CWE-127 actively exploited?

References

Stay ahead of CWE-127