1. Home
  2. CWE Database
  3. CWE-124
Base · Medium

CWE-124: Buffer Underwrite ('Buffer Underflow')

The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

CWE-124 · Base Level ·8 CVEs ·2 Mitigations

Description

The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

Potential Impact

Integrity, Availability

Modify Memory, DoS: Crash, Exit, or Restart

Integrity, Confidentiality, Availability, Access Control, Other

Execute Unauthorized Code or Commands, Modify Memory, Bypass Protection Mechanism, Other

Access Control, Other

Bypass Protection Mechanism, Other

Demonstrative Examples

In the following C/C++ example, a utility function is used to trim trailing whitespace from a character string. The function copies the input string to a local character string and uses a while statement to remove the trailing whitespace by moving backward through the string and overwriting whitespace with a NUL character.
Bad
char* trimTrailingWhitespace(char *strMessage, int length) {
                        char *retMessage;char *message = malloc(sizeof(char)*(length+1));
                           
                           // copy input string to a temporary string
                           char message[length+1];int index;for (index = 0; index < length; index++) {message[index] = strMessage[index];}message[index] = '\0';
                           
                           // trim trailing whitespace
                           int len = index-1;while (isspace(message[len])) {message[len] = '\0';len--;}
                           
                           // return string without trailing whitespace
                           retMessage = message;return retMessage;
                     }
However, this function can cause a buffer underwrite if the input character string contains all whitespace. On some systems the while statement will move backwards past the beginning of a character string and will call the isspace() function on an address outside of the bounds of the local buffer.
The following is an example of code that may result in a buffer underwrite. This code is attempting to replace the substring "Replace Me" in destBuf with the string stored in srcBuf. It does so by using the function strstr(), which returns a pointer to the found substring in destBuf. Using pointer arithmetic, the starting index of the substring is found.
Bad
int main() {
                     ...
                     char *result = strstr(destBuf, "Replace Me");
                     int idx = result - destBuf;
                     strcpy(&destBuf[idx], srcBuf);
                     ...}
In the case where the substring is not found in destBuf, strstr() will return NULL, causing the pointer arithmetic to be undefined, potentially setting the value of idx to a negative number. If idx is negative, this will result in a buffer underwrite of destBuf.

Mitigations & Prevention

Requirements

Choose a language that is not susceptible to these issues.

Implementation

All calculated values that are used as index or for pointer arithmetic should be validated to ensure that they are within an expected range.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
  • Automated Dynamic Analysis Moderate — Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].

Real-World CVE Examples

CVE IDDescription
CVE-2021-24018buffer underwrite in firmware verification routine allows code execution via a crafted firmware image
CVE-2002-2227Unchecked length of SSLv2 challenge value leads to buffer underflow.
CVE-2007-4580Buffer underflow from a small size value with a large buffer (length parameter inconsistency, CWE-130)
CVE-2007-1584Buffer underflow from an all-whitespace string, which causes a counter to be decremented before the buffer while looking for a non-whitespace character.
CVE-2007-0886Buffer underflow resultant from encoded data that triggers an integer overflow.
CVE-2006-6171Product sets an incorrect buffer size limit, leading to "off-by-two" buffer underflow.
CVE-2006-4024Negative value is used in a memcpy() operation, leading to buffer underflow.
CVE-2004-2620Buffer underflow due to mishandled special characters

CWE-786: Access of Memory Location Before Start of Buffer

The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginni...

CWE-787: Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Taxonomy Mappings

  • PLOVER: — UNDER - Boundary beginning violation ('buffer underflow'?)
  • CLASP: — Buffer underwrite
  • Software Fault Patterns: SFP8 — Faulty Buffer Access

Frequently Asked Questions

What is CWE-124?

CWE-124 (Buffer Underwrite ('Buffer Underflow')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

How can CWE-124 be exploited?

Attackers can exploit CWE-124 (Buffer Underwrite ('Buffer Underflow')) to modify memory, dos: crash, exit, or restart. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-124?

Key mitigations include: Choose a language that is not susceptible to these issues.

What is the severity of CWE-124?

CWE-124 is classified as a Base-level weakness (Medium abstraction). It has been observed in 8 real-world CVEs.