Use of Path Manipulation Function without Maximum-sized Buffer

The software invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.


Description

Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath(), readlink(), PathAppend(), and others.

Background

Windows provides a large number of utility functions that manipulate buffers containing filenames. In most cases, the result is returned in a buffer that is passed in as input. (Usually the filename is modified in place.) Most functions require the buffer to be at least MAX_PATH bytes in length, but you should check the documentation for each function individually. If the buffer is not large enough to store the result of the manipulation, a buffer overflow can occur.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

In this example the function creates a directory named "output\<name>" in the current directory and returns a heap-allocated copy of its name.

char *createOutputDirectory(char *name) {

  char outputDirectoryName[128];
  if (getCurrentDirectory(128, outputDirectoryName) == 0) {
    return null;
  }
  if (!PathAppend(outputDirectoryName, "output")) {
    return null;
  }
  if (!PathAppend(outputDirectoryName, name)) {


    return null;

  }
  if (SHCreateDirectoryEx(NULL, outputDirectoryName, NULL) != ERROR_SUCCESS) {


    return null;

  }
  return StrDup(outputDirectoryName);

}

For most values of the current directory and the name parameter, this function will work properly. However, if the name parameter is particularly long, then the second call to PathAppend() could overflow the outputDirectoryName buffer, which is smaller than MAX_PATH bytes.

See Also

SFP Secondary Cluster: Faulty String Expansion

This category identifies Software Fault Patterns (SFPs) within the Faulty String Expansion cluster (SFP9).

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Weaknesses in Software Written in C++

This view (slice) covers issues that are found in C++ programs that are not common to all languages.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.