界: API Abuse

API 就像是呼叫者與被呼叫者之間簽訂的規定。最常見的 API 濫用形式是由呼叫者這一當事方未能遵守此規定所造成的。例如，如果程式在呼叫 chroot() 後無法呼叫 chdir()，即違反規範如何以安全方式變更使用中根目錄的規定。程式庫濫用的另一個好例子是期待被呼叫者向呼叫者傳回值得信賴的 DNS 資訊。在這種情況下，呼叫者是透過對其行為做出某些假設 (傳回值可用於驗證目的) 來濫用被呼叫者 API。另一方也可能違反呼叫者與被呼叫者間的規定。例如，如果編碼器衍生出子類別 SecureRandom 並傳回一個非隨機值，則違反了規定。

Often Misused: Strings

C/C++

Abstract

在多位元組和 Unicode 字串之間轉換的函數很容易發生 Buffer overflow。

Explanation

Windows 提供了 MultiByteToWideChar()、WideCharToMultiByte()、UnicodeToBytes() 和 BytesToUnicode() 函數，以在任意多位元組 (通常是 ANSI) 字元字串和 Unicode (寬字元) 字串之間進行轉換。由於這些函數用來指明字串長度的引數單位並不相同 -- 一個用的是位元組，另外一個用的是字元 -- 因此很容易造成誤用。在多位元組字元字串中，每個字元佔用的位元組數是可變的，因此這樣的字串長度等於所有位元組數相加。但是在 Unicode 中，字元有固定的長度，所以字串的長度一般都是根據它們擁有的字元數來決定的。所以，在指名字串長度的引數中弄錯了單位，就會產生 Buffer overflow。

範例 1：以下函數接收一個由多位元組字串表示的使用者名稱和一個指向使用者資訊架構的指標，並把指明的使用者資訊填入在這個架構中。因為 Windows 驗證使用 Unicode 作為使用者名，因此使用者名稱引數首先從多位元組字串轉換為 Unicode 字串。


void getUserInfo(char *username, struct _USER_INFO_2 info){
WCHAR unicodeUser[UNLEN+1];
MultiByteToWideChar(CP_ACP, 0, username, -1,
     unicodeUser, sizeof(unicodeUser));
NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);
}

但是此函數錯誤傳送了 unicodeUser 的位元組長度，而不是字元的長度。所以呼叫 MultiByteToWideChar() 可能會因而將最多 (UNLEN+1)*sizeof(WCHAR) 個寬字元或者 (UNLEN+1)*sizeof(WCHAR)*sizeof(WCHAR) 個位元組寫入 unicodeUser 陣列，而僅為此陣列分配了 (UNLEN+1)*sizeof(WCHAR) 個位元組。如果 username 字串包含了多於 UNLEN 的字元，那麼呼叫 MultiByteToWideChar() 將會溢出 unicodeUser 緩衝區。

References

[1] Security Considerations: International Features Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 176, CWE ID 251

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3

[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3

[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-16 Memory Protection (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-16 Memory Protection

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[11] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I

[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002590 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002590 CAT I

[46] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)

[47] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow

desc.semantic.cpp.often_misused_strings.multibytewidechar