Kingdom: Code Quality
Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.
Obsolete: Inadequate Pointer Validation
Abstract
The function is obsolete and cannot guarantee that a pointer is valid or referenced memory is safe to use.
Explanation
There are a number of reasons not to use the
1) Not thread safe.
2) Often implicated in crashes caused by their probing of invalid memory addresses.
3) Erroneously believed to carry out proper error handling during exception conditions.
Example 1: The following code uses
Programmers often use these functions intending that they will detect exception cases, but the functions usually cause more problems than they fix.
IsBadXXXPtr() class of functions. These functions are:1) Not thread safe.
2) Often implicated in crashes caused by their probing of invalid memory addresses.
3) Erroneously believed to carry out proper error handling during exception conditions.
Example 1: The following code uses
IsBadWritePtr() in an attempt to prevent bad memory writes.
if (IsBadWritePtr(ptr, length))
{
[handle error]
}
Programmers often use these functions intending that they will detect exception cases, but the functions usually cause more problems than they fix.
References
[1] Raymond Chen IsBadXxxPtr should really be called CrashProgramRandomly
[2] IsBadWritePtr Function Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 730
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[33] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.semantic.cpp.obsolete_inadequate_pointer_validation