1. Home
  2. CWE Database
  3. CWE-469
Base · Medium

CWE-469: Use of Pointer Subtraction to Determine Size

The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.

CWE-469 · Base Level ·1 Mitigations

Description

The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.

Potential Impact

Access Control, Integrity, Confidentiality, Availability

Modify Memory, Read Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

Demonstrative Examples

The following example contains the method size that is used to determine the number of nodes in a linked list. The method is passed a pointer to the head of the linked list.
Bad
struct node {int data;struct node* next;};
                     
                     // Returns the number of nodes in a linked list from
                     
                     
                     // the given pointer to the head of the list.
                     int size(struct node* head) {struct node* current = head;struct node* tail;while (current != NULL) {tail = current;current = current->next;}return tail - head;}
                     
                     // other methods for manipulating the list
                     ...
However, the method creates a pointer that points to the end of the list and uses pointer subtraction to determine the number of nodes in the list by subtracting the tail pointer from the head pointer. There no guarantee that the pointers exist in the same memory area, therefore using pointer subtraction in this way could return incorrect results and allow other unintended behavior. In this example a counter should be used to determine the number of nodes in the list, as shown in the following code.
Good
...
                     int size(struct node* head) {struct node* current = head;int count = 0;while (current != NULL) {count++;current = current->next;}return count;}

Mitigations & Prevention

Implementation

Save an index variable. This is the recommended solution. Rather than subtract pointers from one another, use an index variable of the same size as the pointers in question. Use this variable to "walk" from one pointer to the other and calculate the difference. Always validate this number.

Detection Methods

  • Fuzzing High — Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption,
  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-682: Incorrect Calculation

The product performs a calculation that generates incorrect or unintended results that are later used in security-critic...

Taxonomy Mappings

  • CLASP: — Improper pointer subtraction
  • CERT C Secure Coding: ARR36-C — Do not subtract or compare two pointers that do not refer to the same array
  • Software Fault Patterns: SFP7 — Faulty Pointer Use

Frequently Asked Questions

What is CWE-469?

CWE-469 (Use of Pointer Subtraction to Determine Size) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.

How can CWE-469 be exploited?

Attackers can exploit CWE-469 (Use of Pointer Subtraction to Determine Size) to modify memory, read memory, execute unauthorized code or commands, gain privileges or assume identity. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-469?

Key mitigations include: Save an index variable. This is the recommended solution. Rather than subtract pointers from one another, use an index variable of the same size as the pointers in question. Use this variable to "walk

What is the severity of CWE-469?

CWE-469 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.