CWE-464 对数据结构哨兵域的增加

Addition of Data Structure Sentinel

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: High

基本描述

The accidental addition of a data-structure sentinel can cause serious programming logic problems.

扩展描述

Data-structure sentinels are often used to mark the structure of data. A common example of this is the null character at the end of strings or a special sentinel to mark the end of a linked list. It is dangerous to allow this type of control data to be easily accessible. Therefore, it is important to protect from the addition or modification of sentinels.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 138 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围 影响 注释
Integrity Modify Application Data Generally this error will cause the data structure to not work properly by truncating the data.

可能的缓解方案

['Implementation', 'Architecture and Design']

策略:

Encapsulate the user from interacting with data sentinels. Validate user input to verify that sentinels are not present.

Implementation

策略:

Proper error checking can reduce the risk of inadvertently introducing sentinel values into data. For example, if a parsing function fails or encounters an error, it might return a value that is the same as the sentinel.

Architecture and Design

策略:

Use an abstraction library to abstract away risky APIs. This is not a complete solution.

Operation

策略:

Use OS-level preventative functionality. This is not a complete solution.

示例代码

The following example assigns some character values to a list of characters and prints them each individually, and then as a string. The third character value is intended to be an integer taken from user input and converted to an int.

bad C

char foo;
foo=malloc(sizeof(char)
5);
foo[0]='a';
foo[1]='a';
foo[2]=atoi(getc(stdin));
foo[3]='c';
foo[4]='\0'
printf("%c %c %c %c %c \n",foo[0],foo[1],foo[2],foo[3],foo[4]);
printf("%s\n",foo);

The first print statement will print each character separated by a space. However, if a non-integer is read from stdin by getc, then atoi will not make a conversion and return 0. When foo is printed as a string, the 0 at character foo[2] will act as a NULL terminator and foo[3] will never be printed.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Addition of data-structure sentinel
CERT C Secure Coding STR03-C Do not inadvertently truncate a null-terminated byte string
CERT C Secure Coding STR06-C Do not assume that strtok() leaves the parse string unchanged