CWE-464: Addition of Data Structure Sentinel

Description

The accidental addition of a data-structure sentinel can cause serious programming logic problems.

Data-structure sentinels are often used to mark the structure of data. A common example of this is the null character at the end of strings or a special sentinel to mark the end of a linked list. It is dangerous to allow this type of control data to be easily accessible. Therefore, it is important to protect from the addition or modification of sentinels.

Potential Impact

Integrity

Modify Application Data

Demonstrative Examples

The following example assigns some
               character values to a list of characters and prints
               them each individually, and then as a string. The third
               character value is intended to be an integer taken from
               user input and converted to an int. The first print
               statement will print each character separated by a
               space.

Bad

char *foo;
				   foo=malloc(sizeof(char)*5);
				   foo[0]='a';
				   foo[1]='a';
				   foo[2]=fgetc(stdin);
				   foo[3]='c';
				   foo[4]='\0';
				   printf("%c %c %c %c %c \n",foo[0],foo[1],foo[2],foo[3],foo[4]);
				   printf("%s\n",foo);

However, if a NULL byte is read from stdin
               by fgetc, then it will return 0. When foo is printed as
               a string, the 0 at character foo[2] will act as a NULL
               terminator, and the second printf() statement will
			   not print foo[3].

Mitigations & Prevention

ImplementationArchitecture and Design

Encapsulate the user from interacting with data sentinels. Validate user input to verify that sentinels are not present.

Implementation

Proper error checking can reduce the risk of inadvertently introducing sentinel values into data. For example, if a parsing function fails or encounters an error, it might return a value that is the same as the sentinel.

Architecture and Design

Use an abstraction library to abstract away risky APIs. This is not a complete solution.

Operation

Use OS-level preventative functionality. This is not a complete solution.

Taxonomy Mappings

CLASP: — Addition of data-structure sentinel
CERT C Secure Coding: STR03-C — Do not inadvertently truncate a null-terminated byte string
CERT C Secure Coding: STR06-C — Do not assume that strtok() leaves the parse string unchanged

Frequently Asked Questions

What is CWE-464?

CWE-464 (Addition of Data Structure Sentinel) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The accidental addition of a data-structure sentinel can cause serious programming logic problems.

How can CWE-464 be exploited?

Attackers can exploit CWE-464 (Addition of Data Structure Sentinel) to modify application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-464?

Key mitigations include: Encapsulate the user from interacting with data sentinels. Validate user input to verify that sentinels are not present.

What is the severity of CWE-464?

CWE-464 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.