Category: CERT C Secure Coding Standard (2008) Chapter 8 - Characters and Strings (STR)
Obsolete
Summary
Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | This vulnerability occurs when software accesses a memory buffer but reads from or writes to a location outside its allocated boundary. This can corrupt adjacent data, crash the program, or allow attackers to execute arbitrary code. |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | This vulnerability occurs when a program copies data from one memory location to another without first verifying that the source data will fit within the destination buffer's allocated space. |
| CWE-135 | Incorrect Calculation of Multi-Byte String Length | This vulnerability occurs when software incorrectly measures the length of strings containing multi-byte or wide characters, leading to buffer overflows, data corruption, or crashes. |
| CWE-170 | Improper Null Termination | This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator. |
| CWE-193 | Off-by-one Error | An off-by-one error occurs when a program incorrectly calculates a boundary, such as a loop counter or array index, by being one unit too high or too low. This often leads to buffer overflows, memory corruption, or unexpected program behavior. |
| CWE-464 | Addition of Data Structure Sentinel | This vulnerability occurs when a program unintentionally adds or modifies a special marker, known as a sentinel, within a data structure, leading to critical logic errors. |
| CWE-686 | Function Call With Incorrect Argument Type | This vulnerability occurs when a program calls a function or method but passes an argument of the wrong data type, which can cause unexpected behavior or security flaws. |
| CWE-704 | Incorrect Type Conversion or Cast | This vulnerability occurs when software incorrectly changes data from one type to another, leading to unexpected behavior or security flaws. |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OS Command Injection occurs when an application builds a system command using untrusted, external input without properly sanitizing it. This allows an attacker to inject and execute arbitrary commands on the underlying operating system. |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | This vulnerability occurs when an application builds a command string for execution by another component, but fails to properly separate or 'neutralize' the intended arguments. This allows an attacker to inject additional command-line arguments, options, or switches by including argument-separating characters (like spaces or dashes) in untrusted input. |
| CWE-734 | Weaknesses Addressed by the CERT C Secure Coding Standard (2008) | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.