Addition of data-structure sentinel
The accidental addition of a data-structure sentinel can cause serious programming logic problems.
- Availability: Generally this error will cause the data structure to not work properly by truncating the data.
- Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
- Design: Mitigating technologies such as safe string libraries and container abstractions could be introduced.
- Implementation: Many logic errors can lead to this condition. It can be exacerbated by lack of or misuse of mitigating technologies.
- Languages: C, C++, Fortran, Assembly
- Operating platforms: All, although partial preventative measures may be deployed depending on environment.
Likelihood of exploit
High to Very High
Avoidance and mitigation
- Pre-design: Use a language or compiler that performs automatic bounds checking.
- Design: Use an abstraction library to abstract away risky APIs. Not a complete solution.
- Pre-design through Build: Compiler-based canary mechanisms such as StackGuard, ProPolice, and Microsoft Visual Studio / GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
- Operational: Use OS-level preventative functionality. Not a complete solution.
Data-structure sentinels are often used to mark structure of the data structure. A common example of this is the null character at the end of strings. Another common example is linked lists which may contain a sentinel to mark the end of the list.
It is, of course dangerous, to allow this type of control data to be easily accessible. Therefore, it is important to protect from the addition or modification outside of some wrapper interface which provides safety.
By adding a sentinel, one potentially could cause data to be truncated early.
char *foo; foo=malloc(sizeof(char)*4); foo='a'; foo='a'; foo=0; foo='c'; printf("%c %c %c %c %c \n",foo,foo,foo,foo); printf("%s\n",foo);