19. CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char[length+1 ]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data." ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } What if I make length = -1? new char[0] calls malloc(0) which succeeds! Next, attacker-controlled data either overflows heap or crashes Doesn’t quite work – length is unsigned
20. CWE and CVSS use in Practice Code Review v oid CHTMLEngine::SetPost(CBufferedInput& buf, unsigned int length,string& multipart) { m_post= true ; if (length <= 0) return ; char * pData = new char [length+1]; memset(pData,0,length+1); // Read the POSTed data into a buffer int totalBytesRead = 0; int bytesRead = 0; while ( length-totalBytesRead > 0 ) { bytesRead = buf.Read(pData+totalBytesRead, length - totalBytesRead); if ( bytesRead == -1 ) { DTRACE(1, “ EOF error reading POSTed data." ); break ; } totalBytesRead += bytesRead; } m_post_data = pData; m_mp_boundary = multipart; delete [] pData; } Buffer Overflow CWE: 119 CVSS 2: 7.6 CVSS 2 Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 13 years of technical and managerial experience in the software industry. During the seven years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests. Cassio is also internationally known for leading the OWASP chapter in Los Angeles. Cassio represents Symantec on the SAFECode technical committee and (ISC) 2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.