CWE-131: Incorrect Calculation of Buffer Size
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
常见后果
影响范围: Integrity Availability Confidentiality
技术影响: DoS: Crash, Exit, or Restart Execute Unauthorized Code or Commands Read Memory Modify Memory
说明: If the incorrect calculation is used in the context of memory allocation, then the software may create a buffer that is smaller or larger than expected. If the allocated buffer is smaller than expected, this could lead to an out-of-bounds read or write (CWE-119), possibly causing a crash, allowing arbitrary code execution, or exposing sensitive data.
潜在缓解措施
阶段: Implementation
描述: When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.
阶段: Implementation
阶段: Implementation
策略: Input Validation
描述: Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
阶段: Architecture and Design
描述: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
阶段: Implementation
描述: When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).
阶段: Implementation
描述: When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated.
阶段: Implementation
描述: Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
有效性: Moderate
阶段: Implementation
描述: Use sizeof() on the appropriate data type to avoid CWE-467.
阶段: Implementation
描述: Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify validation and will reduce surprises related to unexpected casting.
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Operation Build and Compilation
策略: Environment Hardening
有效性: Defense in Depth
阶段: Operation Build and Compilation
策略: Environment Hardening
有效性: Defense in Depth
阶段: Operation
策略: Environment Hardening
有效性: Defense in Depth
阶段: Implementation
策略: Compilation or Build Hardening
描述: Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
阶段: Architecture and Design Operation
策略: Environment Hardening
描述: Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
阶段: Architecture and Design Operation
策略: Sandbox or Jail
有效性: Limited
检测方法
方法: Automated Static Analysis
有效性: High
方法: Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
有效性: Moderate
方法: Manual Analysis
Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.
方法: Manual Analysis
有效性: High
方法: Automated Static Analysis - Binary or Bytecode
有效性: High
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: SOAR Partial
方法: Automated Static Analysis - Source Code
有效性: High
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2025-27363
Font rendering library does not properly handle assigning a signed short value to an unsigned long (CWE-195), leading to an integer wraparound (CWE-190), causing too small of a buffer (CWE-131), leading to an out-of-bounds write (CWE-787).
参考: CVE-2020-17087
Chain: integer truncation (CWE-197) causes small buffer allocation (CWE-131) leading to out-of-bounds write (CWE-787) in kernel pool, as exploited in the wild per CISA KEV.
参考: CVE-2004-1363
substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed
参考: CVE-2004-0747
substitution overflow: buffer overflow using expansion of environment variables
参考: CVE-2005-2103
substitution overflow: buffer overflow using a large number of substitution strings
参考: CVE-2005-3120
transformation overflow: product adds extra escape characters to incoming data, but does not account for them in the buffer length
参考: CVE-2003-0899
transformation overflow: buffer overflow when expanding ">" to ">", etc.
参考: CVE-2001-0334
expansion overflow: buffer overflow using wildcards
参考: CVE-2001-0248
expansion overflow: long pathname + glob = overflow
参考: CVE-2001-0249
expansion overflow: long pathname + glob = overflow
参考: CVE-2002-0184
special characters in argument are not properly expanded
参考: CVE-2004-0434
small length value leads to heap overflow
参考: CVE-2002-1347
multiple variants
参考: CVE-2005-0490
needs closer investigation, but probably expansion-based
参考: CVE-2004-0940
needs closer investigation, but probably expansion-based
参考: CVE-2008-0599
Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Other length calculation error | - |
| CERT C Secure Coding | INT30-C | Ensure that unsigned integer operations do not wrap | Imprecise |
| CERT C Secure Coding | MEM35-C | Allocate sufficient memory for an object | CWE More Abstract |
关键信息
CWE ID: CWE-131
抽象级别: Base
结构: Simple
状态: Draft
利用可能性: High