Use of Path Manipulation Function without Maximum-sized Buffer |
Weakness ID: 785 (Weakness Variant) | Status: Incomplete |
Description Summary
Extended Description
Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath(), readlink(), PathAppend(), and others.
Example 1
In this example the function creates a directory named "output\<name>" in the current directory and returns a heap-allocated copy of its name. For most values of the current directory and the name parameter, this function will work properly. However, if the name parameter is particularly long, then the second call to PathAppend() could overflow the outputDirectoryName buffer, which is smaller than MAX_PATH bytes.
Phase: Implementation Always specify output buffers large enough to handle the maximum-size possible result from path manipulation functions. |
Windows provides a large number of utility functions that manipulate buffers containing filenames. In most cases, the result is returned in a buffer that is passed in as input. (Usually the filename is modified in place.) Most functions require the buffer to be at least MAX_PATH bytes in length, but you should check the documentation for each function individually. If the buffer is not large enough to store the result of the manipulation, a buffer overflow can occur. |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ChildOf | ![]() | 20 | Improper Input Validation | Development Concepts699 Seven Pernicious Kingdoms (primary)700 |
ChildOf | ![]() | 120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Development Concepts (primary)699 Research Concepts1000 |
ChildOf | ![]() | 632 | Weaknesses that Affect Files or Directories | Resource-specific Weaknesses (primary)631 |
ChildOf | ![]() | 633 | Weaknesses that Affect Memory | Resource-specific Weaknesses631 |
ChildOf | ![]() | 676 | Use of Potentially Dangerous Function | Research Concepts (primary)1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
7 Pernicious Kingdoms | Often Misused: File System |
A weakness where code path has: 1. end statement that passes buffer to path manipulation function where the size of the buffer is smaller than expected by the path manipulation function |
Much of this entry was originally part of CWE-249, which was deprecated for several reasons. |
This entry is at a much lower level of abstraction than most entries because it is function-specific. It also has significant overlap with other entries that can vary depending on the perspective. For example, incorrect usage could trigger either a stack-based overflow (CWE-121) or a heap-based overflow (CWE-122). The CWE team has not decided how to handle such entries. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
7 Pernicious Kingdoms | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-08-01 | KDM Analytics | External | ||
added/updated white box definitions | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Relationships, Other Notes, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples | ||||
2009-07-17 | KDM Analytics | External | ||
Improved the White Box Definition |