CWE-135: Incorrect Calculation of Multi-Byte String Length

Description

The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.

Potential Impact

Integrity, Confidentiality, Availability

Execute Unauthorized Code or Commands

Availability, Confidentiality

Read Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Confidentiality

Read Memory

Demonstrative Examples

The following example would be exploitable if any of the commented incorrect malloc calls were used.

Bad

#include <stdio.h>#include <strings.h>#include <wchar.h>
                     int main() {
                        
                           wchar_t wideString[] = L"The spazzy orange tiger jumped " \"over the tawny jaguar.";wchar_t *newString;
                           printf("Strlen() output: %d\nWcslen() output: %d\n",strlen(wideString), wcslen(wideString));
                           /* Wrong because the number of chars in a string isn't related to its length in bytes //newString = (wchar_t *) malloc(strlen(wideString));*/
                           /* Wrong because wide characters aren't 1 byte long! //newString = (wchar_t *) malloc(wcslen(wideString));*/
                           /* Wrong because wcslen does not include the terminating null */newString = (wchar_t *) malloc(wcslen(wideString) * sizeof(wchar_t));
                           /* correct! */newString = (wchar_t *) malloc((wcslen(wideString) + 1) * sizeof(wchar_t));
                           /* ... */
                     }

The output from the printf() statement would be:

Result

Strlen() output: 0Wcslen() output: 53

Mitigations & Prevention

Implementation

Always verify the length of the string unit character.

Implementation

Use length computing functions (e.g. strlen, wcslen, etc.) appropriately with their equivalent type (e.g.: byte, wchar_t, etc.)

Detection Methods

Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Taxonomy Mappings

CLASP: — Improper string length checking
The CERT Oracle Secure Coding Standard for Java (2011): FIO10-J — Ensure the array is filled when using read() to fill an array
Software Fault Patterns: SFP10 — Incorrect Buffer Length Computation

Frequently Asked Questions

What is CWE-135?

CWE-135 (Incorrect Calculation of Multi-Byte String Length) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.

How can CWE-135 be exploited?

Attackers can exploit CWE-135 (Incorrect Calculation of Multi-Byte String Length) to execute unauthorized code or commands. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-135?

Key mitigations include: Always verify the length of the string unit character.

What is the severity of CWE-135?

CWE-135 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.