Unintentional Pointer Scaling

From Guidance Share

Jump to: navigation, search

Contents

Description

In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.

Applies To

  • Language: C and C++

Example

int *p = x;
char * second_char = (char *)(p + 1);

In this example, second_char is intended to point to the second byte of p. But, adding 1 to p actually adds sizeof(int) to p, giving a result that is incorrect (3 bytes off on 32-bit platforms). If the resulting memory address is read, this could potentially be an information leak. If it is a write, it could be a security-criticial write to unauthorized memory -- whether or not it is a buffer overflow. Note that the above code may also be wrong in other ways, particularly in a little endian environment.

Impact

Often results in buffer overflow conditions.

Vulnerabilities

  • Failure to take mixed data types into account when performing pointer arithmetic.

Countermeasures

  • Design: Use a type safe platform as it will provide high-level memory abstractions.
  • Implementation: Always use array indexing instead of direct pointer manipulation.
  • Other: Use technologies for preventing buffer overflows.

Vulnerability Patterns

How Tos

Personal tools