CWE-805: Buffer Access with Incorrect Length Value
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
扩展描述
When the length value exceeds the size of the destination, a buffer overflow could occur.
常见后果
影响范围: Integrity Confidentiality Availability
技术影响: Read Memory Modify Memory Execute Unauthorized Code or Commands
说明: Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service.
影响范围: Availability
技术影响: Modify Memory DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU)
说明: Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
潜在缓解措施
阶段: Requirements
策略: Language Selection
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Operation Build and Compilation
策略: Environment Hardening
有效性: Defense in Depth
阶段: Implementation
阶段: Architecture and Design
描述: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
阶段: Operation Build and Compilation
策略: Environment Hardening
有效性: Defense in Depth
阶段: Operation
策略: Environment Hardening
有效性: Defense in Depth
阶段: Architecture and Design Operation
策略: Environment Hardening
描述: Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the product or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
阶段: Architecture and Design Operation
策略: Sandbox or Jail
有效性: Limited
检测方法
方法: Automated Static Analysis
有效性: High
方法: Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
有效性: Moderate
方法: Manual Analysis
Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.
观察示例
参考: CVE-2011-1959
Chain: large length value causes buffer over-read (CWE-126)
参考: CVE-2011-1848
Use of packet length field to make a calculation, then copy into a fixed-size buffer
参考: CVE-2011-0105
Chain: retrieval of length value from an uninitialized memory location
参考: CVE-2011-0606
Crafted length value in document reader leads to buffer overflow
参考: CVE-2011-0651
SSL server overflow when the sum of multiple length fields exceeds a given value
参考: CVE-2010-4156
Language interpreter API function doesn't validate length argument, leading to information exposure
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CERT C Secure Coding | ARR38-C | Guarantee that library functions do not form invalid pointers | Imprecise |
关键信息
CWE ID: CWE-805
抽象级别: Base
结构: Simple
状态: Incomplete
利用可能性: High