1. Home
  2. CWE Database
  3. CWE-785
Variant · Low-Medium

CWE-785: Use of Path Manipulation Function without Maximum-sized Buffer

The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.

CWE-785 · Variant Level ·1 Mitigations

Description

The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.

Passing an inadequately-sized output buffer to a path manipulation function can result in a buffer overflow. Such functions include realpath(), readlink(), PathAppend(), and others.

Potential Impact

Integrity, Confidentiality, Availability

Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart

Demonstrative Examples

In this example the function creates a directory named "output\<name>" in the current directory and returns a heap-allocated copy of its name.
Bad
char *createOutputDirectory(char *name) {
                        char outputDirectoryName[128];if (getCurrentDirectory(128, outputDirectoryName) == 0) {return null;}if (!PathAppend(outputDirectoryName, "output")) {return null;}if (!PathAppend(outputDirectoryName, name)) {
                              
                                 return null;
                           }if (SHCreateDirectoryEx(NULL, outputDirectoryName, NULL) != ERROR_SUCCESS) {
                              
                                 return null;
                           }return StrDup(outputDirectoryName);
                     }
For most values of the current directory and the name parameter, this function will work properly. However, if the name parameter is particularly long, then the second call to PathAppend() could overflow the outputDirectoryName buffer, which is smaller than MAX_PATH bytes.

Mitigations & Prevention

Implementation

Always specify output buffers large enough to handle the maximum-size possible result from path manipulation functions.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-676: Use of Potentially Dangerous Function

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but...

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than ...

CWE-20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the ...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Often Misused: File System
  • Software Fault Patterns: SFP9 — Faulty String Expansion

Frequently Asked Questions

What is CWE-785?

CWE-785 (Use of Path Manipulation Function without Maximum-sized Buffer) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.

How can CWE-785 be exploited?

Attackers can exploit CWE-785 (Use of Path Manipulation Function without Maximum-sized Buffer) to modify memory, execute unauthorized code or commands, dos: crash, exit, or restart. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-785?

Key mitigations include: Always specify output buffers large enough to handle the maximum-size possible result from path manipulation functions.

What is the severity of CWE-785?

CWE-785 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.