logo

Use of sizeof() on a Pointer Type

Draft Variant
Structure: Simple
Description

This vulnerability occurs when a developer uses the sizeof() operator on a pointer variable instead of the data it points to, leading to incorrect size calculations and potential buffer overflows or underflows.

Extended Description

Using sizeof() on a pointer returns the size of the pointer itself (e.g., 4 or 8 bytes for the memory address), not the size of the allocated object or data structure it references. This is a common mistake when programmers intend to calculate buffer sizes, perform memory operations like memcpy, or allocate dynamic memory, resulting in calculations that are off by a factor of the pointer size. While sizeof(pointer) can be intentionally used for platform-specific code (like determining system word size), its presence usually indicates a logic bug. To avoid this, always ensure sizeof() is applied to the dereferenced pointer type (e.g., sizeof(*pointer)) or the actual data type name, especially when dealing with arrays, structs, or dynamically allocated memory blocks.
Common Consequences 1
Scope: IntegrityConfidentiality

Impact: Modify MemoryRead Memory

This error can often cause one to allocate a buffer that is much smaller than what is needed, leading to resultant weaknesses such as buffer overflows.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: Implementation
Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack.
Demonstrative Examples 2
Care should be taken to ensure sizeof returns the size of the data structure itself, and not the size of the pointer to the data structure.
In this example, sizeof(foo) returns the size of the pointer.

Code Example:

Bad
C
c
In this example, sizeof(*foo) returns the size of the data structure and not the size of the pointer.

Code Example:

Good
C
c
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.

Code Example:

Bad
C


/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. /


c


c
In AuthenticateUser(), because sizeof() is applied to a parameter with an array type, the sizeof() call might return 4 on many modern architectures. As a result, the strncmp() call only checks the first four characters of the input password, resulting in a partial comparison (Partial String Comparison), leading to improper authentication (Improper Authentication).
Because of the partial comparison, any of these passwords would still cause authentication to succeed for the "admin" user:
Code Example:
Attack
bash
Because only 4 characters are checked, this significantly reduces the search space for an attacker, making brute force attacks more feasible.
The same problem also applies to the username, so values such as "adminXYZ" and "administrator" will succeed for the username.
    
References 2
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
EXP01-A. Do not take the sizeof a pointer to determine the size of a type
Robert Seacord
https://www.securecoding.cert.org/confluence/display/seccode/EXP01-A.+Do+not+take+the+sizeof+a+pointer+to+determine+the+size+of+a+type
ID: REF-442
 
  
  
 
 
Likelihood of Exploit 
 
 
 
 High 
 
 
  
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 C : UndeterminedC++ : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Incorrect Calculation of Buffer Size (CWE-131) 
 
 
 
 
Taxonomy Mapping 
  • CLASP
  • CERT C Secure Coding
  • CERT C Secure Coding
  • Software Fault Patterns