Incorrect Pointer Scaling

Incomplete Base

Structure: Simple

Description

This vulnerability occurs when a programmer incorrectly accounts for pointer arithmetic in C or C++, causing the program to access unintended memory locations. The core issue is forgetting that adding an integer to a pointer automatically scales that integer by the size of the data type it points to.

Extended Description

In C and C++, pointer arithmetic is not byte-based by default. When you add an integer `n` to a pointer, the compiler implicitly multiplies `n` by the `sizeof` the pointed-to type to get the correct byte offset. A common mistake is writing code that assumes a simple, unscaled addition, which leads to calculating an address far beyond or short of the intended target. This often happens when treating a pointer as a generic byte pointer (`void*` or `char*`) in some places but as a typed pointer (like `int*`) in others without proper casting. To prevent this, always be explicit about pointer types and scaling. When performing manual memory navigation, consistently use `char*` for byte-wise arithmetic or carefully cast pointers, ensuring you understand the compiler's implicit multiplications. Using container classes, iterators, or modern C++ smart pointers can often eliminate the need for raw pointer arithmetic altogether, sidestepping this entire class of errors.

Common Consequences 1

Scope: ConfidentialityIntegrity

Impact: Read MemoryModify Memory

Incorrect pointer scaling will often result in buffer overflow conditions. Confidentiality can be compromised if the weakness is in the context of a buffer over-read or under-read.

Potential Mitigations 3

Phase: Architecture and Design

Use a platform with high-level memory abstractions.

Phase: Implementation

Always use array indexing instead of direct pointer manipulation.

Phase: Architecture and Design

Use technologies for preventing buffer overflows.

Demonstrative Examples 1

ID : DX-55

This example attempts to calculate the position of the second byte of a pointer.

Code Example:Bad
C
c

In this example, second_char is intended to point to the second byte of p. But, adding 1 to p actually adds sizeof(int) to p, giving a result that is incorrect (3 bytes off on 32-bit platforms). If the resulting memory address is read, this could potentially be an information leak. If it is a write, it could be a security-critical write to unauthorized memory-- whether or not it is a buffer overflow. Note that the above code may also be wrong in other ways, particularly in a little endian environment.

References 2

The CLASP Application Security Process

Secure Software, Inc.

2005

https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)

ID: REF-18

The Art of Software Security Assessment

Mark Dowd, John McDonald, and Justin Schuh

Addison Wesley

2006

ID: REF-62

Likelihood of Exploit

Medium

Applicable Platforms

Languages:

C : UndeterminedC++ : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Incorrect Calculation (CWE-682)

Taxonomy Mapping

CLASP
CERT C Secure Coding
CERT C Secure Coding
Software Fault Patterns