Description
The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
If an attacker can manipulate the length parameter associated with an input such that it is inconsistent with the actual length of the input, this can be leveraged to cause the target application to behave in unexpected, and possibly, malicious ways. One of the possible motives for doing so is to pass in arbitrarily large input to the application. Another possible motivation is the modification of application state by including invalid data for subsequent properties of the application. Such weaknesses commonly lead to attacks such as buffer overflows and execution of arbitrary code.
Potential Impact
Confidentiality, Integrity
Read Memory, Modify Memory, Varies by Context
Demonstrative Examples
int processMessageFromSocket(int socket) {
int success;
char buffer[BUFFER_SIZE];char message[MESSAGE_SIZE];
// get message from socket and store into buffer
//Ignoring possibliity that buffer > BUFFER_SIZE
if (getMessage(socket, buffer, BUFFER_SIZE) > 0) {
// place contents of the buffer into message structure
ExMessage *msg = recastBuffer(buffer);
// copy message body into string for processing
int index;for (index = 0; index < msg->msgLength; index++) {message[index] = msg->msgBody[index];}message[index] = '\0';
// process message
success = processMessage(message);
}return success;
}Mitigations & Prevention
When processing structured incoming data containing a size field followed by raw data, ensure that you identify and resolve any inconsistencies between the size field and the actual size of the data.
Do not let the user control the size of the buffer.
Validate that the length of the user-supplied data is consistent with the buffer size.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2014-0160 | Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive |
| CVE-2009-2299 | Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data. |
| CVE-2001-0825 | Buffer overflow in internal string handling routine allows remote attackers to execute arbitrary commands via a length argument of zero or less, which disables the length check. |
| CVE-2001-1186 | Web server allows remote attackers to cause a denial of service via an HTTP request with a content-length value that is larger than the size of the request, which prevents server from timing out the c |
| CVE-2001-0191 | Service does not properly check the specified length of a cookie, which allows remote attackers to execute arbitrary commands via a buffer overflow, or brute force authentication by using a short cook |
| CVE-2003-0429 | Traffic analyzer allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow. |
| CVE-2000-0655 | Chat client allows remote attackers to cause a denial of service or execute arbitrary commands via a JPEG image containing a comment with an illegal field length of 1. |
| CVE-2004-0492 | Server allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative Content-Length HTTP header field causing a heap-based buffer overflow. |
| CVE-2004-0201 | Help program allows remote attackers to execute arbitrary commands via a heap-based buffer overflow caused by a .CHM file with a large length field |
| CVE-2003-0825 | Name services does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Can overlap zero-length issues |
| CVE-2004-0095 | Policy manager allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value. |
| CVE-2004-0826 | Heap-based buffer overflow in library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message. |
| CVE-2004-0808 | When domain logons are enabled, server allows remote attackers to cause a denial of service via a SAM_UAS_CHANGE request with a length value that is larger than the number of structures that are provi |
| CVE-2002-1357 | Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute ar |
| CVE-2004-0774 | Server allows remote attackers to cause a denial of service (CPU and memory exhaustion) via a POST request with a Content-Length header set to -1. |
Showing 15 of 25 observed examples.
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Length Parameter Inconsistency
- Software Fault Patterns: SFP24 — Tainted Input to Command
Frequently Asked Questions
What is CWE-130?
CWE-130 (Improper Handling of Length Parameter Inconsistency) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
How can CWE-130 be exploited?
Attackers can exploit CWE-130 (Improper Handling of Length Parameter Inconsistency) to read memory, modify memory, varies by context. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-130?
Key mitigations include: When processing structured incoming data containing a size field followed by raw data, ensure that you identify and resolve any inconsistencies between the size field and the actual size of the data.
What is the severity of CWE-130?
CWE-130 is classified as a Base-level weakness (Medium abstraction). It has been observed in 25 real-world CVEs.