Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-467 Variante Borrador
Use of sizeof() on a Pointer Type
This vulnerability occurs when a developer uses the sizeof() operator on a pointer variable instead of the data it points to, leading to incorrect size calculations and potential buffer overflows or…
Definición
What is CWE-467?
This vulnerability occurs when a developer uses the sizeof() operator on a pointer variable instead of the data it points to, leading to incorrect size calculations and potential buffer overflows or underflows.
Using sizeof() on a pointer returns the size of the pointer itself (e.g., 4 or 8 bytes for the memory address), not the size of the allocated object or data structure it references. This is a common mistake when programmers intend to calculate buffer sizes, perform memory operations like memcpy, or allocate dynamic memory, resulting in calculations that are off by a factor of the pointer size.
While sizeof(pointer) can be intentionally used for platform-specific code (like determining system word size), its presence usually indicates a logic bug. To avoid this, always ensure sizeof() is applied to the dereferenced pointer type (e.g., sizeof(*pointer)) or the actual data type name, especially when dealing with arrays, structs, or dynamically allocated memory blocks.
Impacto en el mundo real
Real-world CVEs caused by CWE-467
Todavía no hay CVEs públicos enlazados a esta CWE en el catálogo de MITRE.
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
Care should be taken to ensure sizeof returns the size of the data structure itself, and not the size of the pointer to the data structure.
- 2
In this example, sizeof(foo) returns the size of the pointer.
- 3
In this example, sizeof(*foo) returns the size of the data structure and not the size of the pointer.
- 4
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
- 5
In AuthenticateUser(), because sizeof() is applied to a parameter with an array type, the sizeof() call might return 4 on many modern architectures. As a result, the strncmp() call only checks the first four characters of the input password, resulting in a partial comparison (CWE-187), leading to improper authentication (CWE-287).
Ejemplo de código vulnerable
Vulnerable C
In this example, sizeof(foo) returns the size of the pointer.
double *foo;
...
foo = (double *)malloc(sizeof(foo)); Payload del atacante
Because of the partial comparison, any of these passwords would still cause authentication to succeed for the "admin" user:
pass5
passABCDEFGH
passWORD Ejemplo de código seguro
Secure C
In this example, sizeof(*foo) returns the size of the data structure and not the size of the pointer.
double *foo;
...
foo = (double *)malloc(sizeof(*foo)); What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-467
- Implementation Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack.
Señales de detección
How to detect CWE-467
Plexicus detecta automáticamente CWE-467 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-467?
¿Qué gravedad tiene CWE-467?
¿Qué lenguajes o plataformas se ven afectados por CWE-467?
¿Cómo puedo prevenir CWE-467?
¿Cómo detecta y corrige Plexicus CWE-467?
¿Dónde puedo aprender más sobre CWE-467?
Frequently asked questions
¿Qué es CWE-467?
This vulnerability occurs when a developer uses the sizeof() operator on a pointer variable instead of the data it points to, leading to incorrect size calculations and potential buffer overflows or underflows.
¿Qué gravedad tiene CWE-467?
MITRE califica la probabilidad de explotación como Alta — esta debilidad se explota activamente en la práctica y debe priorizarse para su remediación.
¿Qué lenguajes o plataformas se ven afectados por CWE-467?
MITRE lists the following affected platforms: C, C++.
¿Cómo puedo prevenir CWE-467?
Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack.
¿Cómo detecta y corrige Plexicus CWE-467?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-467 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-467?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/467.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-467
Recursos
Further reading
- MITRE — CWE-467 oficial https://cwe.mitre.org/data/definitions/467.html
- The CLASP Application Security Process https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
- EXP01-A. Do not take the sizeof a pointer to determine the size of a type https://www.securecoding.cert.org/confluence/display/seccode/EXP01-A.+Do+not+take+the+sizeof+a+pointer+to+determine+the+size+of+a+type
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.