Pointer offset(or any other arithmetic operation) on a pointer casted to a different type (than its original type) is risky and can result in undefined behaviour. The reason for such behaviour is that the memory alignment may change for types on every targeted platform.
While writing data to a buffer, the program can overrun the buffer's boundary and overwrite adjacent memory locations. These can either cause a crash if the memory region is inaccessible to the process for writing, or in the worst case produce a vulnerability to overwrite parts of the memory with untrusted user code.
Certain functions do not perform bound checks internally, leading to segmentation faults if the caller does not explicitly perform bound checks. Avoid calling such functions without explicitly checking the buffer bounds against the provided value first.
printf
/scanf
, not using any width for the format specifier %s
is vulnerable to buffer overflow CXX-S1004Using I/O operations such as printf
and scanf
without setting width limits for format strings can allow for buffer overflow when reading from a stdin pipe or writing to a stdout pipe.
When a program requests memory from the heap, it is given a pointer to the starting address of that memory block. When the program frees that memory block, the memory is returned to the heap and the pointer is no longer valid. Using freed heap memory can result in undefined behavior and potentially cause serious problems in a program.
If the source of a format string is untrusted
then there is a chance that the
format expected would break or the untrusted source may be able to insert
malicious stuff into your code.
sizeof()
in strncpy
, strncat
, or memcpy
CXX-S1016Using sizeof()
on pointers would return the complete size of the pointer only if it's from the local scope.
This issue attempts to uncover cases of sensitive information, such as passwords, encryption keys, or other confidential data, being hardcoded into the source code and shipped with the software.
This is a serious security issue because if the source code is accessible, the secret information can be easily extracted by attackers.
An exception handling catch
block is used to catch and handle errors or exceptions that may occur during the execution of a program.
When the catch
block does not contain any code to handle the exception or execute any necessary cleanup, then this can lead to problems. In particular, it can make the program unreliable, as an unhandled exception may cause the program to crash or behave unpredictably. This is especially problematic if the relevant code is reachable by an attacker, as they may be able to trigger the exception deliberately and cause the program to fail.
system()
is exploitable CXX-A1001The system()
function in C programming executes a specified command by invoking an implementation-defined command processor, such as a UNIX shell or CMD.EXE in Microsoft Windows. The problem with using system() function is that it can result in exploitable vulnerabilities, allowing for the execution of arbitrary system commands. The risks associated with using the system() function include passing an unsanitized or improperly sanitized command string originating from a tainted source, specifying a command without a path name and the command processor path name resolution mechanism is accessible to an attacker, specifying a relative path to an executable and control over the current working directory is accessible to an attacker, and if the specified executable program can be spoofed by an attacker.