CWE-119
Weakness ID:119(Weakness Class)
Status: Draft
obt@G[
v
obt@ŃIy[Vs\tgEFAɂāAɈӐ}obt@̋EO֓ǂݏ\ȍۂɔƎ㐫łB
ڍׂȉ
̌ɂĂ̓AhX̒ڎw肪ĂAw肳ꂽobt@̃AhX̑ÓIɌ܂BɂA̕ϐAf[^\̃vOf[^Ɗ֘A郁̈ʒu֓ǂݏ\ƂȂ܂B
̌ʁAU҂͔Cӂ̃R[hsAӐ}鐧t[ւ̉A@̓ǂݎA܂̓VXe̔j\łB
ʖ
RvV
uRvVv͈ʓIɁAobt@̊Õɏ܂pƂėp܂B{IȌ́ǍŒJnʒuߓxȃV[PVȃRs[ȊỎɂ̂łiFÓTIobt@I[o[t[A邢 CWE-120jBɂ͕smȃ|C^vZAsSȏɂsȃ|C^ւ̃ANZXAƂ܂܂܂B
Ǝ㐫̔
A[LeN`ѐv
Iy[V
YvbgtH[
C
C++
AZu
ǗT|[gĂȂ
vbgtH[̕⑫
̃vO~Oɂăobt@̋EO瑀삳\܂AvbgtH[A`bṽA[LeN`ɂ肻̉e͑傫E܂B
ʓIȉe
S
U҂ANZX\ȃ𐧌łꍇAobt@[I[o[t[ƓlɁACӂ̃R[hs\܂B
̃|C^̒l(ʏA32rbg64rbg)㏑\ȏꍇAU҂̈ӂR[hɃ_CNg\܂B1oCg݂̏łACӂ̃R[hs\܂BƂāAƎ㐫JԂp邱ƂÃ[UǗ҂ł邩ǂtOAZLeBdvȃAvP[VŗL̏㏑\邱Ƃ܂B
p
mۂꂽ̈ÕɃANZX邱ƂɂAmŊ֘A郁AꍇɂĂ̓CXgNVjANbV\܂B܂AvO[v铙Ap\܂B
@
EO̓ǂݎ̏ꍇAU҂͋@ւ̃ANZXĂ邩܂B@VXȅڍ܂ޏꍇiobt@̌ݒnjȀ͂ȂUɈpA[ȌʂƂȂ\܂B
U\
oi
ÓI
{Ǝ㐫͎ÓI͂ɂČo\łBŋ߂̃c[̑́AtH[X|WeBuŏ邽߂ɁAf[^t[͂x[X̋ZpgpĂ܂B
ʓIɎÓI͂́ÅOł̃Iy[V|[gہAls܂BɂA[U͂ǂ̌x璲ׂ肷邱ƂɂȂ܂BႦA̓c[́Asetuid ₻̑̓Ŏs邱Ƃ\ĂȂvÕR}hC̈甭obt@I[o[t[|[g邱Ƃ܂B
LF
obt@Ɋ֘AG[̌o@́Ȃ̐Ǝ㐫^Cvɑ@KĂ܂B
I
{Ǝ㐫́At@YeXg(t@WO)AoXglXeXg(挒̃eXg)AtH[gCWFNV(G[킴ƋNeXg)A푽lȓ͂cȃeXgP[Xgpă\tgEFA͂铮Iȃc[ZppČo邱Ƃ\łB
\tgEFȀx͒ቺ܂AsɂȂANbVAsmȌʂoƂƂ͂܂B
ƎȃR[h
1:
ȉ̗́A[UIPAhX擾AKił邱ƂmFAzXgׂăobt@ɃRs[쐬̂łB
TvF C ij
void host_lookup(char *user_supplied_addr){
struct hostent *hp;
in_addr_t *addr;
char hostname[64];
in_addr_t inet_addr(const char *cp);
/*routine that ensures user_supplied_addr is in the right format for conversion */
validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(hostname, hp->h_name);
}
̊́AzXgl[ۑ邽߂̃obt@Ƃ 64 oCg蓖ĂĂ܂AzXgl[͕K 64 oCgȓƂ͌܂BU҂ɂAɒzXgl[AhXw肳ꂽꍇA@f[^̏㏑At[D悳\܂B
2:
ȉ̗́A͂ꂽGR[hvV[Wɗ^Aobt@Ɋi[̂łB
TvF C ij
char * copy_input(char *user_supplied_string){
int i, dst_index;
char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);
if ( MAX_SIZE <= strlen(user_supplied_string) ){
die("user string too long, die evil hacker!");
}
dst_index = 0;
for ( i = 0; i < strlen; i++ ){
if( '&' == user_supplied_string[i] ){
dst_buf[dst_index++] = '&';
dst_buf[dst_index++] = 'a';
dst_buf[dst_index++] = 'm';
dst_buf[dst_index++] = 'p';
dst_buf[dst_index++] = ';';
}
else if ('<' == user_supplied_string[i] ){
/* encode to < */
}
else dst_buf[dst_index++] = user_supplied_string[i];
}
return dst_buf;
}
ApTh (&) [ŨRg[镶 (&) ɃGR[h悤ƂĂ܂AGR[hO͗L̒AGR[hɂ蒴߂Ă܂\܂B̏AGR[hɂ镶̑4܂łƑz肵Ă܂AApTh̏ꍇ5܂BʁAU҂ʂ̃ApTh͂ƁAobt@̓I[o[t[܂B
3:
ȉ̗́A[UڂI邽߃ItZbg悤v̂łB
TvF C ij
int main (int argc, char **argv) {
char *items[] = {"boat", "car", "truck", "train"};
int index = GetUntrustedOffset();
printf("You selected %s¥n", items[index-1]);
}
[UXĝǂ̗vfI邩w肷邱ƂĂ܂AU҂͔͈͊ÕItZbg^Abuffer over-read (CWE-126) ܂B
ꂽ
| Q | ڍ |
|---|---|
| CVE-2009-2550 | Classic stack-based buffer overflow in media player using a long entry in a playlist |
| CVE-2009-2403 | Heap-based buffer overflow in media player using a long entry in a playlist |
| CVE-2009-0689 | large precision value in a format string triggers overflow |
| CVE-2009-0690 | negative offset value leads to out-of-bounds read |
| CVE-2009-1532 | malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption |
| CVE-2009-1528 | chain: lack of synchronization leads to memory corruption |
| CVE-2009-0558 | attacker-controlled array index leads to code execution |
| CVE-2009-0269 | chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead. |
| CVE-2009-0566 | chain: incorrect calculations lead to incorrect pointer dereference and memory corruption |
| CVE-2009-1350 | product accepts crafted messages that lead to a dereference of an arbitrary pointer |
| CVE-2009-0191 | chain: malformed input causes dereference of uninitialized memory |
| CVE-2008-4113 | OS kernel trusts userland-supplied length value, allowing reading of sensitive information |
Q̊ɘa
tF[YFv`
헪FI
{Ǝ㐫̔ȂA邢͖{Ǝ㐫₷悤ȍ\錾gpĂBobt@I[o[t[̔ɂ Java Perl ̂悤ȁAǗƎɍsꂪɋ܂B
̑ Ada C# Ƃ́AʓIɃI[o[t[ɑی@\܂AvO}ɂ薳ɂ\܂B
lCeBuR[h(IuWFNgR[h)ɑ錾̃C^[tF[X́Aꎩ̂_IɈSłƂĂAI[o[t[̊댯c邱ƂɒӂĂB
tF[YFA[LeN`ѐv
헪F CuAt[[N
{Ǝ㐫̔hA邢͖{Ǝ㐫₷\A\ɌꂽCut[[NgpĂB
Messier and Viega ̒ Safe C String Library (SafeStr)AMicrosoft ̒ Strsafe.h Cuɋ܂B̃CúAI[o[t[N₷́ASȃo[W܂B
Ãobt@I[o[t[͕Ɋ֘AȂ߁ASȑł͂܂B
tF[YFrhуRpC
헪F RpCArh̋
obt@I[o[t[y邢͔rی@\Iɒ@\gqgpāA\tgEFAsA܂̓RpCĂBRpCꂽR[hɑAIɃobt@I[o[t[̌o@\悤ȃRpCgqƂċ܂B̂悤ȃRpCgqɂ́AMicrosoft Visual Studio /GS tOAFedora/Red Hat FORTIFY_SOURCE GCC tOAStackGuard, ProPolice ܂܂܂B
LFwh
̎dg݂m\ȃI[o[t[̎ނ͌Ă邽߁ASȉł͂܂B܂Aʏ̃X|X̓AvP[VI邽߁AUɂAT[rXs\ (DoS) Ԃɂ\܂B
tF[YF
vO}́AAvP[Ṽ蓖ĂAǗ肷ۂɈȉ̃[炵ĉB
Eobt@̗eʂw肵TCYƓ_u`FbN
Estrncpy() ATCY̑傫ȃf[^Rs[ogpꍇA NULL I[łȂ\邽߁Ãobt@TCY茳̃obt@TCYƓmF
Eobt@ɌJԂANZXꍇɂ̓obt@̏`FbNA蓖Ăꂽ̈ăf[^ފ댯ȂƂmF
ESĂ̓͂ꂽAKvɉăRs[AɈnOɓKȒɒ߂
tF[YFIy[V
헪F ̋
Address Space Layout Randomization (ASLR) ̋@\gpĉB
LFwh
͊Sȉł͂܂BASẴvOsύX関m̒l𐄑悤ɋ邱Ƃ͉\łBA̋@\̓T^Iȉ̓AvP[V̏Ił邽߁AUɂ DoS N\܂B
tF[YFIy[V
헪F ̋
Data Execution Protection (NX) ܂͂Ɠ̋@\ CPU OS gpĉB
LFwh
obt@I[ot[͗אڂ邷ϐ㏑A\tgEFA댯ȏԂɉ邱ƂړIƂĎgp邽߁A͊Sȉł͂܂B܂AȏR[hKvȏꍇ͎gp邱Ƃł܂B̋@\̓T^Iȉ̓AvP[V̏Ił邽߁AUɂ DoS N\܂B
tF[YF
strcpy strncpy ɒu铙ÂȂRs[ÄT|[gގɒuĂBp\ȊȂꍇ́A쐬ĂB
LF
̊ɘáAoff-by-one errors (CWE-193) incorrectly calculating buffer lengths (CWE-131) ̖̂悤ȌvZG[̉e\܂B
W
| Nature | Type | ID | Name | View(s) this relationship pertains to | Named Chain(s) this relationship pertains to |
|---|---|---|---|---|---|
| ChildOf | Weakness ClassWeakness ClassWeakness Class |
20 | Improper Input Validation | Development Concepts699 | |
| Seven Pernicious Kingdoms (primary)700 | |||||
| ChildOf | Weakness ClassWeakness ClassWeakness Class |
118 | Improper Access of Indexable Resource ('Range Error') | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| ChildOf | CategoryCategory | 633 | Weaknesses that Affect Memory | Resource-specific Weaknesses (primary)631 | |
| ChildOf | CategoryCategory | 726 | OWASP Top Ten 2004 Category A5 - Buffer Overflows | Weaknesses in OWASP Top Ten (2004) (primary)711 | |
| ChildOf | CategoryCategory | 740 | CERT C Secure Coding Section 06 - Arrays (ARR) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 | |
| ChildOf | CategoryCategory | 741 | CERT C Secure Coding Section 07 - Characters and Strings (STR) | Weaknesses Addressed by the CERT C Secure Coding Standard734 | |
| ChildOf | CategoryCategory | 742 | CERT C Secure Coding Section 08 - Memory Management (MEM) | Weaknesses Addressed by the CERT C Secure Coding Standard734 | |
| ChildOf | CategoryCategory | 743 | CERT C Secure Coding Section 09 - Input Output (FIO) | Weaknesses Addressed by the CERT C Secure Coding Standard734 | |
| ChildOf | CategoryCategory | 744 | CERT C Secure Coding Section 10 - Environment (ENV) | Weaknesses Addressed by the CERT C Secure Coding Standard734 | |
| ChildOf | CategoryCategory | 752 | 2009 Top 25 - Risky Resource Management | Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750 | |
| ParentOf | Compound Element: CompositeCompound Element: Composite | 120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| ParentOf | Weakness Base | 123 | Write-what-where Condition | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| ParentOf | Weakness Base | 125 | Out-of-bounds Read | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| ParentOf | Weakness Base | 130 | Improper Handling of Length Parameter Inconsistency | Development Concepts (primary)699 | |
| ParentOf | Weakness Base | 466 | Return of Pointer Value Outside of Expected Range | Research Concepts (primary)1000 | |
| ParentOf | Weakness Base | 786 | Access of Memory Location Before Start of Buffer | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| ParentOf | Weakness Base | 787 | Out-of-bounds Write | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| ParentOf | Weakness Base | 788 | Access of Memory Location After End of Buffer | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| ParentOf | Weakness Base | 805 | Buffer Access with Incorrect Length Value | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| ParentOf | Weakness Base | 822 | Untrusted Pointer Dereference | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| ParentOf | Weakness Base | 823 | Use of Out-of-range Pointer Offset | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| ParentOf | Weakness Base | 824 | Access of Uninitialized Pointer | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| ParentOf | Weakness Base | 825 | Expired Pointer Dereference | Development Concepts (primary)699 | |
| Research Concepts (primary)1000 | |||||
| MemberOf | View | 635 | Weaknesses Used by NVD | Weaknesses Used by NVD (primary)635 | |
| ParentOf | Weakness Base | 128 | Wrap-around Error | Research Concepts1000 | |
| ParentOf | Weakness Base | 129 | Improper Validation of Array Index | Research Concepts1000 | |
| CanFollow | Weakness Base | 131 | Incorrect Calculation of Buffer Size | Development Concepts699 | |
| Research Concepts1000 | |||||
| CanFollow | Weakness Base | 190 | Integer Overflow or Wraparound | Research Concepts1000 | Integer Overflow to Buffer Overflow(680) |
| CanFollow | Weakness Base | 193 | Off-by-one Error | Research Concepts1000 | |
| CanFollow | Weakness Variant | 195 | Signed to Unsigned Conversion Error | Research Concepts1000 |
eVXe\[X
gDł̕
| gD܂͑gDł̕ | m[h ID | CWE̕ނƂ̓Kx | ޖ |
|---|---|---|---|
| OWASP Top Ten 2004 | A5 | Buffer Overflows | |
| CERT C Secure Coding | ARR00-C | Understand how arrays work | |
| CERT C Secure Coding | ARR33-C | Guarantee that copies are made into storage of sufficient size | |
| CERT C Secure Coding | ARR34-C | Ensure that array types in expressions are compatible | |
| CERT C Secure Coding | ARR35-C | Do not allow loops to iterate beyond the end of an array | |
| CERT C Secure Coding | ENV01-C | Do not make assumptions about the size of an environment variable | |
| CERT C Secure Coding | FIO37-C | Do not assume character data has been read | |
| CERT C Secure Coding | MEM09-C | Do not assume memory allocation routines initialize memory | |
| CERT C Secure Coding | STR31-C | Guarantee that storage for strings has sufficient space for character data and the null terminator | |
| CERT C Secure Coding | STR32-C | Null-terminate byte strings as required | |
| CERT C Secure Coding | STR33-C | Size wide character strings correctly | |
| WASC | 7 | Buffer Overflow |
֘AUp^[
| CAPEC-ID | Up^[ (CAPEC Version 1.5) |
|---|---|
| 8 | Buffer Overflow in an API Call |
| 9 | Buffer Overflow in Local Command-Line Utilities |
| 10 | Buffer Overflow via Environment Variables |
| 14 | Client-side Injection-induced Buffer Overflow |
| 24 | Filter Failure through Buffer Overflow |
| 42 | MIME Conversion |
| 44 | Overflow Binary Resource File |
| 45 | Buffer Overflow via Symbolic Links |
| 100 | Overflow Buffers |
| 46 | Overflow Variables and Tags |
| 47 | Buffer Overflow via Parameter Expansion |
Q
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 5, "Public Enemy #1: The Buffer Overrun" Page 127; Chapter 14, "Prevent I18N Buffer Overruns" Page 441. 2nd Edition. Microsoft. 2002.
Microsoft. "Using the Strsafe.h Functions". <http://msdn.microsoft.com/en-us/library/ms647466.aspx>.
Matt Messier and John Viega. "Safe C String Library v1.0.3". <http://www.zork.org/safestr/>.
Michael Howard. "Address Space Layout Randomization in Windows Vista". <http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx>.
Arjan van de Ven. "Limiting buffer overflows with ExecShield". <http://www.redhat.com/magazine/009jul05/features/execshield/>.
"PaX". <http://en.wikipedia.org/wiki/PaX>.
XV
[2011N0421]
2010N1012_̃f[^ɍXV
[2009N0629]
2009N0202_̉L URL ɍ쐬
http://cwe.mitre.org/data/definitions/119.html
o^ 2011/04/21
ŏIXV 2023/04/04
