CWE-786: Access of Memory Location Before Start of Buffer

CWE-786: Access of Memory Location Before Start of Buffer | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In the following C/C++ example, a utility function is used to trim trailing whitespace from a character string. The function copies the input string to a local character string and uses a while statement to remove the trailing whitespace by moving backward through the string and overwriting whitespace with a NUL character.

Vulnerable example

char* trimTrailingWhitespace(char *strMessage, int length) {

However, this function can cause a buffer underwrite if the input character string contains all whitespace. On some systems the while statement will move backwards past the beginning of a character string and will call the isspace() function on an address outside of the bounds of the local buffer.

The following example asks a user for an offset into an array to select an item.

The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126).

The following is an example of code that may result in a buffer underwrite. This code is attempting to replace the substring "Replace Me" in destBuf with the string stored in srcBuf. It does so by using the function strstr(), which returns a pointer to the found substring in destBuf. Using pointer arithmetic, the starting index of the substring is found.

Vulnerable example

int main() {

In the case where the substring is not found in destBuf, strstr() will return NULL, causing the pointer arithmetic to be undefined, potentially setting the value of idx to a negative number. If idx is negative, this will result in a buffer underwrite of destBuf.

CWE-786: Access of Memory Location Before Start of Buffer

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Fuzzing

Automated Dynamic Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-786?

What CVEs are caused by CWE-786?

How is CWE-786 detected?

What are the consequences of CWE-786?

Is CWE-786 actively exploited?

References

Stay ahead of CWE-786

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Fuzzing

Automated Dynamic Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-786?

What CVEs are caused by CWE-786?

How is CWE-786 detected?

What are the consequences of CWE-786?

Is CWE-786 actively exploited?

References

Stay ahead of CWE-786