CWE-170: Improper Null Termination
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
扩展描述
Null termination errors frequently occur in two different ways. An off-by-one error could cause a null to be written out of bounds, leading to an overflow. Or, a program could use a strncpy() function call incorrectly, which prevents a null terminator from being added at all. Other scenarios are possible.
常见后果
影响范围: Confidentiality Integrity Availability
技术影响: Read Memory Execute Unauthorized Code or Commands
说明: The case of an omitted null character is the most dangerous of the possible issues. This will almost certainly result in information disclosure, and possibly a buffer overflow condition, which may be exploited to execute arbitrary code.
影响范围: Confidentiality Integrity Availability
技术影响: DoS: Crash, Exit, or Restart Read Memory DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory)
说明: If a null character is omitted from a string, then most string-copying functions will read data until they locate a null character, even outside of the intended boundaries of the string. This could: cause a crash due to a segmentation fault cause sensitive adjacent memory to be copied and sent to an outsider trigger a buffer overflow when the copy is being written to a fixed-size buffer.
影响范围: Integrity Availability
技术影响: Modify Memory DoS: Crash, Exit, or Restart
说明: Misplaced null characters may result in any number of security problems. The biggest issue is a subset of buffer overflow, and write-what-where conditions, where data corruption occurs from the writing of a null character over valid data, or even instructions. A randomly placed null character may put the system into an undefined state, and therefore make it prone to crashing. A misplaced null character may corrupt other data in memory.
影响范围: Integrity Confidentiality Availability Access Control Other
技术影响: Alter Execution Logic Execute Unauthorized Code or Commands
说明: Should the null character corrupt the process flow, or affect a flag controlling access, it may lead to logical errors which allow for the execution of arbitrary code.
潜在缓解措施
阶段: Requirements
描述: Use a language that is not susceptible to these issues. However, be careful of null byte interaction errors (CWE-626) with lower-level constructs that may be written in a language that is susceptible.
阶段: Implementation
描述: Ensure that all string functions used are understood fully as to how they append null characters. Also, be wary of off-by-one errors when appending nulls to the end of strings.
阶段: Implementation
描述: If performance constraints permit, special code can be added that validates null-termination of string buffers, this is a rather naive and error-prone solution.
阶段: Implementation
描述: Switch to bounded string manipulation functions. Inspect buffer lengths involved in the buffer overrun trace reported with the defect.
阶段: Implementation
描述: Add code that fills buffers with nulls (however, the length of buffers still needs to be inspected, to ensure that the non null-terminated string is not written at the physical end of the buffer).
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2000-0312
Attacker does not null-terminate argv[] when invoking another program.
参考: CVE-2003-0777
Interrupted step causes resultant lack of null termination.
参考: CVE-2004-1072
Fault causes resultant lack of null termination, leading to buffer expansion.
参考: CVE-2001-1389
Multiple vulnerabilities related to improper null termination.
参考: CVE-2003-0143
Product does not null terminate a message buffer after snprintf-like call, leading to overflow.
参考: CVE-2009-2523
Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Improper Null Termination | - |
| 7 Pernicious Kingdoms | - | String Termination Error | - |
| CLASP | - | Miscalculated null termination | - |
| OWASP Top Ten 2004 | A9 | Denial of Service | CWE More Specific |
| CERT C Secure Coding | POS30-C | Use the readlink() function properly | CWE More Abstract |
| CERT C Secure Coding | STR03-C | Do not inadvertently truncate a null-terminated byte string | - |
| CERT C Secure Coding | STR32-C | Do not pass a non-null-terminated character sequence to a library function that expects a string | Exact |
| Software Fault Patterns | SFP11 | Improper Null Termination | - |