CWE-788: does the extended description contains a mistake ?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CWE-788: does the extended description contains a mistake ?

Roberto Martelloni
Hi, 

I'm mapping all errors reported by cppcheck ( a secure static analysis tool) and looking for the right CWE to describe: Array 'array[2]' accessed at index 2, which is out of bounds.

I think that the right CWE for that weakness should be the CWE-788 but reading the extended description it sound like there is a mistake. 

CWE-788: Access of Memory Location After End of Buffer

This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable.

should not the words in bold be substituted as follow: 

This typically occurs when a pointer or its index is incremented to a position after the buffer, when pointer arithmetic results in a position after the end of the valid memory location. or when a negative index is used. These problems may be resultant from missing sentinel values (CWE-463) or trusting a user-influenced input length variable.


If you are curious about the mapping initiative here is where I'm  collecting my notes/actions about cppcheck and cwe language: https://docs.google.com/spreadsheets/d/1euprfInepnmse7NSQEjUIvn6_UU4_STQsVyQ_ndC2ks/edit?usp=sharing 

cppcheck ticket instead is here: http://trac.cppcheck.net/ticket/6656 

Many Thanks,

R.
--
Roberto Martelloni
boos @ http://boos.core-dumped.info


JA
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CWE-788: does the extended description contains a mistake ?

JA
Hi,

this is again, part of our previous discussion aka "Rationalize
CWE-119 (improper buffer bound restriction) and CWE-120 (classic
buffer overflow)"
An in depth review should be performed

2015-05-21 19:47 GMT+03:00 Roberto Martelloni <[hidden email]>:

> Hi,
>
> I'm mapping all errors reported by cppcheck ( a secure static analysis tool)
> and looking for the right CWE to describe: Array 'array[2]' accessed at
> index 2, which is out of bounds.
>
> I think that the right CWE for that weakness should be the CWE-788 but
> reading the extended description it sound like there is a mistake.
>
> CWE-788: Access of Memory Location After End of Buffer
>
>> This typically occurs when a pointer or its index is decremented to a
>> position before the buffer, when pointer arithmetic results in a position
>> before the beginning of the valid memory location, or when a negative index
>> is used. These problems may be resultant from missing sentinel values
>> (CWE-463) or trusting a user-influenced input length variable.
>
>
> should not the words in bold be substituted as follow:
>
>> This typically occurs when a pointer or its index is incremented to a
>> position after the buffer, when pointer arithmetic results in a position
>> after the end of the valid memory location. or when a negative index is
>> used. These problems may be resultant from missing sentinel values (CWE-463)
>> or trusting a user-influenced input length variable.
>
>
>
> If you are curious about the mapping initiative here is where I'm
> collecting my notes/actions about cppcheck and cwe language:
> https://docs.google.com/spreadsheets/d/1euprfInepnmse7NSQEjUIvn6_UU4_STQsVyQ_ndC2ks/edit?usp=sharing
>
> cppcheck ticket instead is here: http://trac.cppcheck.net/ticket/6656
>
> Many Thanks,
>
> R.
> --
> Roberto Martelloni
> boos @ http://boos.core-dumped.info
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CWE-788: does the extended description contains a mistake ?

Roberto Martelloni
Hi, 

my email is about what I believe is just a copy&paste mistake from cwe-786 to cwe-788. 
Even if, as highlighted in previous discussion a deep review should be performed, I believe a quick fix on the words used in cwe-788 can be beneficial. 

R.

On Fri, May 22, 2015 at 9:01 AM, Jerome Athias <[hidden email]> wrote:
Hi,

this is again, part of our previous discussion aka "Rationalize
CWE-119 (improper buffer bound restriction) and CWE-120 (classic
buffer overflow)"
An in depth review should be performed

2015-05-21 19:47 GMT+03:00 Roberto Martelloni <[hidden email]>:
> Hi,
>
> I'm mapping all errors reported by cppcheck ( a secure static analysis tool)
> and looking for the right CWE to describe: Array 'array[2]' accessed at
> index 2, which is out of bounds.
>
> I think that the right CWE for that weakness should be the CWE-788 but
> reading the extended description it sound like there is a mistake.
>
> CWE-788: Access of Memory Location After End of Buffer
>
>> This typically occurs when a pointer or its index is decremented to a
>> position before the buffer, when pointer arithmetic results in a position
>> before the beginning of the valid memory location, or when a negative index
>> is used. These problems may be resultant from missing sentinel values
>> (CWE-463) or trusting a user-influenced input length variable.
>
>
> should not the words in bold be substituted as follow:
>
>> This typically occurs when a pointer or its index is incremented to a
>> position after the buffer, when pointer arithmetic results in a position
>> after the end of the valid memory location. or when a negative index is
>> used. These problems may be resultant from missing sentinel values (CWE-463)
>> or trusting a user-influenced input length variable.
>
>
>
> If you are curious about the mapping initiative here is where I'm
> collecting my notes/actions about cppcheck and cwe language:
> https://docs.google.com/spreadsheets/d/1euprfInepnmse7NSQEjUIvn6_UU4_STQsVyQ_ndC2ks/edit?usp=sharing
>
> cppcheck ticket instead is here: http://trac.cppcheck.net/ticket/6656
>
> Many Thanks,
>
> R.
> --
> Roberto Martelloni
> boos @ http://boos.core-dumped.info
>
>



--
Roberto Martelloni
boos @ http://boos.core-dumped.info


JA
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CWE-788: does the extended description contains a mistake ?

JA
I got that.
Likelihood is high, after quick review, that it is a copy/paste error.
Meantime I can't be sure without investigation/review.

Does that make sense?

2015-05-22 11:51 GMT+03:00 Roberto Martelloni <[hidden email]>:

> Hi,
>
> my email is about what I believe is just a copy&paste mistake from cwe-786
> to cwe-788.
> Even if, as highlighted in previous discussion a deep review should be
> performed, I believe a quick fix on the words used in cwe-788 can be
> beneficial.
>
> R.
>
> On Fri, May 22, 2015 at 9:01 AM, Jerome Athias <[hidden email]>
> wrote:
>>
>> Hi,
>>
>> this is again, part of our previous discussion aka "Rationalize
>> CWE-119 (improper buffer bound restriction) and CWE-120 (classic
>> buffer overflow)"
>> An in depth review should be performed
>>
>> 2015-05-21 19:47 GMT+03:00 Roberto Martelloni <[hidden email]>:
>> > Hi,
>> >
>> > I'm mapping all errors reported by cppcheck ( a secure static analysis
>> > tool)
>> > and looking for the right CWE to describe: Array 'array[2]' accessed at
>> > index 2, which is out of bounds.
>> >
>> > I think that the right CWE for that weakness should be the CWE-788 but
>> > reading the extended description it sound like there is a mistake.
>> >
>> > CWE-788: Access of Memory Location After End of Buffer
>> >
>> >> This typically occurs when a pointer or its index is decremented to a
>> >> position before the buffer, when pointer arithmetic results in a
>> >> position
>> >> before the beginning of the valid memory location, or when a negative
>> >> index
>> >> is used. These problems may be resultant from missing sentinel values
>> >> (CWE-463) or trusting a user-influenced input length variable.
>> >
>> >
>> > should not the words in bold be substituted as follow:
>> >
>> >> This typically occurs when a pointer or its index is incremented to a
>> >> position after the buffer, when pointer arithmetic results in a
>> >> position
>> >> after the end of the valid memory location. or when a negative index is
>> >> used. These problems may be resultant from missing sentinel values
>> >> (CWE-463)
>> >> or trusting a user-influenced input length variable.
>> >
>> >
>> >
>> > If you are curious about the mapping initiative here is where I'm
>> > collecting my notes/actions about cppcheck and cwe language:
>> >
>> > https://docs.google.com/spreadsheets/d/1euprfInepnmse7NSQEjUIvn6_UU4_STQsVyQ_ndC2ks/edit?usp=sharing
>> >
>> > cppcheck ticket instead is here: http://trac.cppcheck.net/ticket/6656
>> >
>> > Many Thanks,
>> >
>> > R.
>> > --
>> > Roberto Martelloni
>> > boos @ http://boos.core-dumped.info
>> >
>> >
>
>
>
>
> --
> Roberto Martelloni
> boos @ http://boos.core-dumped.info
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CWE-788: does the extended description contains a mistake ?

Roberto Martelloni
If everything were on me I would say yes.

I can't see why a copy/paste error should not be quickly fixed (considering that as far as I can see the effort would be 5 minutes) even if later in time the whole hierarchy related to buffer overflow might/will be rewritten/reorganized. 

Said that I'm not directly involved in the cwe effort and I've no clue of what is going on behind the scene, hence, back in reality it is a mitre call. 

Regards,
R.

On Fri, May 22, 2015 at 10:19 AM, Jerome Athias <[hidden email]> wrote:
I got that.
Likelihood is high, after quick review, that it is a copy/paste error.
Meantime I can't be sure without investigation/review.

Does that make sense?

2015-05-22 11:51 GMT+03:00 Roberto Martelloni <[hidden email]>:
> Hi,
>
> my email is about what I believe is just a copy&paste mistake from cwe-786
> to cwe-788.
> Even if, as highlighted in previous discussion a deep review should be
> performed, I believe a quick fix on the words used in cwe-788 can be
> beneficial.
>
> R.
>
> On Fri, May 22, 2015 at 9:01 AM, Jerome Athias <[hidden email]>
> wrote:
>>
>> Hi,
>>
>> this is again, part of our previous discussion aka "Rationalize
>> CWE-119 (improper buffer bound restriction) and CWE-120 (classic
>> buffer overflow)"
>> An in depth review should be performed
>>
>> 2015-05-21 19:47 GMT+03:00 Roberto Martelloni <[hidden email]>:
>> > Hi,
>> >
>> > I'm mapping all errors reported by cppcheck ( a secure static analysis
>> > tool)
>> > and looking for the right CWE to describe: Array 'array[2]' accessed at
>> > index 2, which is out of bounds.
>> >
>> > I think that the right CWE for that weakness should be the CWE-788 but
>> > reading the extended description it sound like there is a mistake.
>> >
>> > CWE-788: Access of Memory Location After End of Buffer
>> >
>> >> This typically occurs when a pointer or its index is decremented to a
>> >> position before the buffer, when pointer arithmetic results in a
>> >> position
>> >> before the beginning of the valid memory location, or when a negative
>> >> index
>> >> is used. These problems may be resultant from missing sentinel values
>> >> (CWE-463) or trusting a user-influenced input length variable.
>> >
>> >
>> > should not the words in bold be substituted as follow:
>> >
>> >> This typically occurs when a pointer or its index is incremented to a
>> >> position after the buffer, when pointer arithmetic results in a
>> >> position
>> >> after the end of the valid memory location. or when a negative index is
>> >> used. These problems may be resultant from missing sentinel values
>> >> (CWE-463)
>> >> or trusting a user-influenced input length variable.
>> >
>> >
>> >
>> > If you are curious about the mapping initiative here is where I'm
>> > collecting my notes/actions about cppcheck and cwe language:
>> >
>> > https://docs.google.com/spreadsheets/d/1euprfInepnmse7NSQEjUIvn6_UU4_STQsVyQ_ndC2ks/edit?usp=sharing
>> >
>> > cppcheck ticket instead is here: http://trac.cppcheck.net/ticket/6656
>> >
>> > Many Thanks,
>> >
>> > R.
>> > --
>> > Roberto Martelloni
>> > boos @ http://boos.core-dumped.info
>> >
>> >
>
>
>
>
> --
> Roberto Martelloni
> boos @ http://boos.core-dumped.info
>
>



--
Roberto Martelloni
boos @ http://boos.core-dumped.info


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: CWE-788: does the extended description contains a mistake ?

Christey, Steven M.
Roberto,

Thank you for inquiring.  Yes, the extended description of CWE-788 is an accidental copy-and-paste of the extended description of CWE-786 (sometimes when we try to be consistent, we become TOO consistent ;-)  Notice that the description summary and name for CWE-788 both emphasize "after" the end of the buffer.

We will fix this error in the next version of CWE.

Thank you,
Steve Christey Coley
CWE Technical Lead

=================================

From: [hidden email] [mailto:[hidden email]] On Behalf Of Roberto Martelloni
Sent: Friday, May 22, 2015 6:00 AM
To: Jerome Athias
Cc: cwe-research-list CWE Research Discussion
Subject: Re: CWE-788: does the extended description contains a mistake ?

If everything were on me I would say yes.

I can't see why a copy/paste error should not be quickly fixed (considering that as far as I can see the effort would be 5 minutes) even if later in time the whole hierarchy related to buffer overflow might/will be rewritten/reorganized. 

Said that I'm not directly involved in the cwe effort and I've no clue of what is going on behind the scene, hence, back in reality it is a mitre call. 

Regards,
R.

On Fri, May 22, 2015 at 10:19 AM, Jerome Athias <[hidden email]> wrote:
I got that.
Likelihood is high, after quick review, that it is a copy/paste error.
Meantime I can't be sure without investigation/review.

Does that make sense?

2015-05-22 11:51 GMT+03:00 Roberto Martelloni <[hidden email]>:

> Hi,
>
> my email is about what I believe is just a copy&paste mistake from cwe-786
> to cwe-788.
> Even if, as highlighted in previous discussion a deep review should be
> performed, I believe a quick fix on the words used in cwe-788 can be
> beneficial.
>
> R.
>
> On Fri, May 22, 2015 at 9:01 AM, Jerome Athias <[hidden email]>
> wrote:
>>
>> Hi,
>>
>> this is again, part of our previous discussion aka "Rationalize
>> CWE-119 (improper buffer bound restriction) and CWE-120 (classic
>> buffer overflow)"
>> An in depth review should be performed
>>
>> 2015-05-21 19:47 GMT+03:00 Roberto Martelloni <[hidden email]>:
>> > Hi,
>> >
>> > I'm mapping all errors reported by cppcheck ( a secure static analysis
>> > tool)
>> > and looking for the right CWE to describe: Array 'array[2]' accessed at
>> > index 2, which is out of bounds.
>> >
>> > I think that the right CWE for that weakness should be the CWE-788 but
>> > reading the extended description it sound like there is a mistake.
>> >
>> > CWE-788: Access of Memory Location After End of Buffer
>> >
>> >> This typically occurs when a pointer or its index is decremented to a
>> >> position before the buffer, when pointer arithmetic results in a
>> >> position
>> >> before the beginning of the valid memory location, or when a negative
>> >> index
>> >> is used. These problems may be resultant from missing sentinel values
>> >> (CWE-463) or trusting a user-influenced input length variable.
>> >
>> >
>> > should not the words in bold be substituted as follow:
>> >
>> >> This typically occurs when a pointer or its index is incremented to a
>> >> position after the buffer, when pointer arithmetic results in a
>> >> position
>> >> after the end of the valid memory location. or when a negative index is
>> >> used. These problems may be resultant from missing sentinel values
>> >> (CWE-463)
>> >> or trusting a user-influenced input length variable.
>> >
>> >
>> >
>> > If you are curious about the mapping initiative here is where I'm
>> > collecting my notes/actions about cppcheck and cwe language:
>> >
>> > https://docs.google.com/spreadsheets/d/1euprfInepnmse7NSQEjUIvn6_UU4_STQsVyQ_ndC2ks/edit?usp=sharing
>> >
>> > cppcheck ticket instead is here: http://trac.cppcheck.net/ticket/6656
>> >
>> > Many Thanks,
>> >
>> > R.
>> > --
>> > Roberto Martelloni
>> > boos @ http://boos.core-dumped.info
>> >
>> >
>
>
>
>
> --
> Roberto Martelloni
> boos @ http://boos.core-dumped.info
>
>




--
Roberto Martelloni
boos @ http://boos.core-dumped.info

Loading...