CWE-467 Variante Rascunho High likelihood

Use of sizeof() on a Pointer Type

This vulnerability occurs when a developer uses the sizeof() operator on a pointer variable instead of the data it points to, leading to incorrect size calculations and potential buffer overflows or…

Definição

What is CWE-467?

Using sizeof() on a pointer returns the size of the pointer itself (e.g., 4 or 8 bytes for the memory address), not the size of the allocated object or data structure it references. This is a common mistake when programmers intend to calculate buffer sizes, perform memory operations like memcpy, or allocate dynamic memory, resulting in calculations that are off by a factor of the pointer size. While sizeof(pointer) can be intentionally used for platform-specific code (like determining system word size), its presence usually indicates a logic bug. To avoid this, always ensure sizeof() is applied to the dereferenced pointer type (e.g., sizeof(*pointer)) or the actual data type name, especially when dealing with arrays, structs, or dynamically allocated memory blocks.

Impacto no mundo real

Real-world CVEs caused by CWE-467

Ainda não há referências CVE públicas associadas a este CWE no catálogo da MITRE.

Como os atacantes a exploram

Trajeto do atacante passo a passo

1
Care should be taken to ensure sizeof returns the size of the data structure itself, and not the size of the pointer to the data structure.
2
In this example, sizeof(foo) returns the size of the pointer.
3
In this example, sizeof(*foo) returns the size of the data structure and not the size of the pointer.
4
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
5
In AuthenticateUser(), because sizeof() is applied to a parameter with an array type, the sizeof() call might return 4 on many modern architectures. As a result, the strncmp() call only checks the first four characters of the input password, resulting in a partial comparison (CWE-187), leading to improper authentication (CWE-287).

Exemplo de código vulnerável

Vulnerable C

In this example, sizeof(foo) returns the size of the pointer.

Vulnerável C

double *foo;
  ...
  foo = (double *)malloc(sizeof(foo));

Payload do atacante

Because of the partial comparison, any of these passwords would still cause authentication to succeed for the "admin" user:

Payload do atacante

pass5
  passABCDEFGH
  passWORD

Exemplo de código seguro

Secure C

In this example, sizeof(*foo) returns the size of the data structure and not the size of the pointer.

Seguro C

double *foo;
  ...
  foo = (double *)malloc(sizeof(*foo));

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Lista de verificação de prevenção

How to prevent CWE-467

Implementation Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack.

Sinais de deteção

How to detect CWE-467

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Correção automática do Plexicus

O Plexicus deteta automaticamente o CWE-467 e abre um PR de correção em menos de 60 segundos.

O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.

Obter uma demonstração Experimente o Plexicus gratuitamente

Perguntas frequentes

Frequently asked questions

O que é o CWE-467?

Qual a gravidade do CWE-467?

A MITRE classifica a probabilidade de exploração como Alta — esta fraqueza é ativamente explorada em campo e deve ser priorizada para remediação.

Que linguagens ou plataformas são afetadas pelo CWE-467?

MITRE lists the following affected platforms: C, C++.

Como posso prevenir o CWE-467?

Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack.

Como é que o Plexicus deteta e corrige o CWE-467?

O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-467 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.

Onde posso saber mais sobre o CWE-467?

A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/467.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.

Fraquezas relacionadas

Weaknesses related to CWE-467

CWE-131 Pai

Incorrect Calculation of Buffer Size

This vulnerability occurs when a program miscalculates the amount of memory needed for a buffer, potentially leading to a buffer overflow…

Recursos

Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.

O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.

Começar grátis Reservar uma demo