1. Home
  2. CWE Database
  3. CWE-467
Variant · Low-Medium

CWE-467: Use of sizeof() on a Pointer Type

The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to.

CWE-467 · Variant Level ·1 Mitigations

Description

The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to.

The use of sizeof() on a pointer can sometimes generate useful information. An obvious case is to find out the wordsize on a platform. More often than not, the appearance of sizeof(pointer) indicates a bug.

Potential Impact

Integrity, Confidentiality

Modify Memory, Read Memory

Demonstrative Examples

Care should be taken to ensure sizeof returns the size of the data structure itself, and not the size of the pointer to the data structure.
In this example, sizeof(foo) returns the size of the pointer.
Bad
double *foo;...foo = (double *)malloc(sizeof(foo));
In this example, sizeof(*foo) returns the size of the data structure and not the size of the pointer.
Good
double *foo;...foo = (double *)malloc(sizeof(*foo));
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.
Bad
/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */
                     
                     char *username = "admin";char *pass = "password";
                     int AuthenticateUser(char *inUser, char *inPass) {
                        printf("Sizeof username = %d\n", sizeof(username));printf("Sizeof pass = %d\n", sizeof(pass));
                           if (strncmp(username, inUser, sizeof(username))) {printf("Auth failure of username using sizeof\n");return(AUTH_FAIL);}
                           /* Because of CWE-467, the sizeof returns 4 on many platforms and architectures. */
                           
                           if (! strncmp(pass, inPass, sizeof(pass))) {printf("Auth success of password using sizeof\n");return(AUTH_SUCCESS);}else {printf("Auth fail of password using sizeof\n");return(AUTH_FAIL);}
                     }
                     int main (int argc, char **argv){
                        int authResult;
                           if (argc < 3) {ExitError("Usage: Provide a username and password");}authResult = AuthenticateUser(argv[1], argv[2]);if (authResult != AUTH_SUCCESS) {ExitError("Authentication failed");}else {DoAuthenticatedTask(argv[1]);}
                     }
In AuthenticateUser(), because sizeof() is applied to a parameter with an array type, the sizeof() call might return 4 on many modern architectures. As a result, the strncmp() call only checks the first four characters of the input password, resulting in a partial comparison (CWE-187), leading to improper authentication (CWE-287).
Because of the partial comparison, any of these passwords would still cause authentication to succeed for the "admin" user:
Attack
pass5passABCDEFGHpassWORD
Because only 4 characters are checked, this significantly reduces the search space for an attacker, making brute force attacks more feasible.
The same problem also applies to the username, so values such as "adminXYZ" and "administrator" will succeed for the username.

Mitigations & Prevention

Implementation

Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on the stack.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-131: Incorrect Calculation of Buffer Size

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer over...

Taxonomy Mappings

  • CLASP: — Use of sizeof() on a pointer type
  • CERT C Secure Coding: ARR01-C — Do not apply the sizeof operator to a pointer when taking the size of an array
  • CERT C Secure Coding: MEM35-C — Allocate sufficient memory for an object
  • Software Fault Patterns: SFP10 — Incorrect Buffer Length Computation

Frequently Asked Questions

What is CWE-467?

CWE-467 (Use of sizeof() on a Pointer Type) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to.

How can CWE-467 be exploited?

Attackers can exploit CWE-467 (Use of sizeof() on a Pointer Type) to modify memory, read memory. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-467?

Key mitigations include: Use expressions such as "sizeof(*pointer)" instead of "sizeof(pointer)", unless you intend to run sizeof() on a pointer type to gain some platform independence or if you are allocating a variable on t

What is the severity of CWE-467?

CWE-467 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.