logo

Buffer Over-read

Draft Variant
Structure: Simple
Description

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Common Consequences 3
Scope: Confidentiality

Impact: Read Memory

Scope: Confidentiality

Impact: Bypass Protection Mechanism

By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service.

Scope: AvailabilityIntegrity

Impact: DoS: Crash, Exit, or Restart

An attacker might be able to cause a crash or other denial of service by causing the product to read a memory location that is not allowed (such as a segmentation fault), or to cause other conditions in which the read operation returns more data than is expected.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Demonstrative Examples 2

ID : DX-91

In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing.

Code Example:

Bad
C
c

// get message from socket and store into buffer*

c
c

// process message* success = processMessage(message);} return success;}

However, the message length variable (msgLength) from the structure is used as the condition for ending the for loop without validating that msgLength accurately reflects the actual length of the message body (Unchecked Input for Loop Condition). If msgLength indicates a length that is longer than the size of a message body (Improper Handling of Length Parameter Inconsistency), then this can result in a buffer over-read by reading past the end of the buffer (Buffer Over-read).
The following C/C++ example demonstrates a buffer over-read due to a missing NULL terminator. The main method of a pattern matching utility that looks for a specific pattern within a specific file uses the string strncopy() method to copy the command line user input file name and pattern to the Filename and Pattern character arrays respectively.

Code Example:

Bad
C
c

/* Validate number of parameters and ensure valid content / ...

c
However, the code do not take into account that strncpy() will not add a NULL terminator when the source buffer is equal in length of longer than that provide size attribute. Therefore if a user enters a filename or pattern that are the same size as (or larger than) their respective character arrays, a NULL terminator will not be added (Improper Null Termination) which leads to the printf() read beyond the expected end of the Filename and Pattern buffers.
To fix this problem, be sure to subtract 1 from the sizeof() call to allow room for the null byte to be added.

Code Example:

Good
C


/* copy filename parameter to variable, no off-by-one overflow /
strncpy(Filename, argv[2], sizeof(Filename)-1);
Filename[255]='\0';


c
  
Observed Examples 3
CVE-2022-1733Text editor has out-of-bounds read past end of line while indenting C code
CVE-2014-0160Chain: "Heartbleed" bug receives an inconsistent length parameter (Improper Handling of Length Parameter Inconsistency) enabling an out-of-bounds read (Buffer Over-read), returning memory that could include private cryptographic keys and other sensitive data.
CVE-2009-2523Chain: product does not handle when an input string is not NULL terminated, leading to buffer over-read or heap-based buffer overflow.
  
References 3
Breaking the memory secrecy assumption
Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter
ACM
31-03-2009
https://dl.acm.org/doi/10.1145/1519144.1519145(2023-04-07)
ID: REF-1034
The info leak era on software exploitation
Fermin J. Serna
25-07-2012
https://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_Slides.pdf
ID: REF-1035
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
 
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 C : UndeterminedC++ : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
      
 
 
Functional Areas 
 
 
 
     
  1. Memory Management
    2.  
 
 
  
 
 
Affected Resources 
 
 
 
     
  1. Memory
    2.  
 
 
  
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Out-of-bounds Read (CWE-125) 
  ChildOf:
 Access of Memory Location After End of Buffer (CWE-788) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER
  • Software Fault Patterns
  
Notes 
RelationshipThese problems may be resultant from missing sentinel values (Deletion of Data Structure Sentinel) or trusting a user-influenced input length variable.
OtherA buffer over-read typically occurs when the pointer or its index is incremented to a position past the end of the buffer or when pointer arithmetic results in a position after the valid memory location.