logo

Improper Handling of Length Parameter Inconsistency

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when a program reads a structured data packet or message but fails to properly validate that the declared length field matches the actual amount of data provided.

Extended Description

Attackers exploit this flaw by deliberately sending data where the stated length is incorrect—either longer or shorter than the real payload. This inconsistency tricks the application's parsing logic, often leading to catastrophic security failures like buffer overflows, memory corruption, or the processing of garbage data as if it were legitimate instructions. In practice, an attacker might use a manipulated length field to inject massive amounts of data beyond allocated buffers or to carefully craft input that alters critical application state. The core defense is for developers to always independently calculate or strictly verify data lengths during parsing, never trusting the user-supplied length parameter alone before processing the associated data block.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read MemoryModify MemoryVaries by Context
Potential Mitigations 3
Phase: Implementation
When processing structured incoming data containing a size field followed by raw data, ensure that you identify and resolve any inconsistencies between the size field and the actual size of the data.
Phase: Implementation
Do not let the user control the size of the buffer.
Phase: Implementation
Validate that the length of the user-supplied data is consistent with the buffer size.
Demonstrative Examples 1

ID : DX-91

In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing.

Code Example:

Bad
C
c

// get message from socket and store into buffer*

c
c

// process message* success = processMessage(message);} return success;}

However, the message length variable (msgLength) from the structure is used as the condition for ending the for loop without validating that msgLength accurately reflects the actual length of the message body (Unchecked Input for Loop Condition). If msgLength indicates a length that is longer than the size of a message body (Improper Handling of Length Parameter Inconsistency), then this can result in a buffer over-read by reading past the end of the buffer (Buffer Over-read).
Observed Examples 25
CVE-2014-0160Chain: "Heartbleed" bug receives an inconsistent length parameter (Improper Handling of Length Parameter Inconsistency) enabling an out-of-bounds read (Buffer Over-read), returning memory that could include private cryptographic keys and other sensitive data.
CVE-2009-2299Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data.
CVE-2001-0825Buffer overflow in internal string handling routine allows remote attackers to execute arbitrary commands via a length argument of zero or less, which disables the length check.
CVE-2001-1186Web server allows remote attackers to cause a denial of service via an HTTP request with a content-length value that is larger than the size of the request, which prevents server from timing out the connection.
CVE-2001-0191Service does not properly check the specified length of a cookie, which allows remote attackers to execute arbitrary commands via a buffer overflow, or brute force authentication by using a short cookie length.
CVE-2003-0429Traffic analyzer allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow.
CVE-2000-0655Chat client allows remote attackers to cause a denial of service or execute arbitrary commands via a JPEG image containing a comment with an illegal field length of 1.
CVE-2004-0492Server allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative Content-Length HTTP header field causing a heap-based buffer overflow.
CVE-2004-0201Help program allows remote attackers to execute arbitrary commands via a heap-based buffer overflow caused by a .CHM file with a large length field
CVE-2003-0825Name services does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Can overlap zero-length issues
CVE-2004-0095Policy manager allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value.
CVE-2004-0826Heap-based buffer overflow in library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message.
CVE-2004-0808When domain logons are enabled, server allows remote attackers to cause a denial of service via a SAM_UAS_CHANGE request with a length value that is larger than the number of structures that are provided.
CVE-2002-1357Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code.
CVE-2004-0774Server allows remote attackers to cause a denial of service (CPU and memory exhaustion) via a POST request with a Content-Length header set to -1.
CVE-2004-0989Multiple buffer overflows in xml library that may allow remote attackers to execute arbitrary code via long URLs.
CVE-2004-0568Application does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.
CVE-2003-0327Server allows remote attackers to cause a denial of service via a remote password array with an invalid length, which triggers a heap-based buffer overflow.
CVE-2003-0345Product allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.
CVE-2004-0430Server allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field.
CVE-2005-0064PDF viewer allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value.
CVE-2004-0413SVN client trusts the length field of SVN protocol URL strings, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer overflow.
CVE-2004-0940Is effectively an accidental double increment of a counter that prevents a length check conditional from exiting a loop.
CVE-2002-1235Length field of a request not verified.
CVE-2005-3184Buffer overflow by modifying a length value.
Applicable Platforms
Languages:
C : SometimesC++ : SometimesNot Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
Alternate Terms

length manipulation

length tampering
Related Weaknesses
ChildOf: Improper Handling of Inconsistent Structural Elements (CWE-240)
ChildOf: Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
ChildOf: Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
CanPrecede: Buffer Access with Incorrect Length Value (CWE-805)
Taxonomy Mapping
  • PLOVER
  • Software Fault Patterns
Notes
RelationshipThis probably overlaps other categories including zero-length issues.