PREfast Warning 29 (Windows CE 5.0)
29 - Possible buffer overrun in call to <function>.
Additional Information: Use of unchecked buffer size <variable>.
This warning indicates that a function that takes a buffer and a size is being passed a tainted size. This is likely from data that was read-in from an external source and has not been checked to see whether it is smaller than the buffer size.
This defect can result in an exploitable buffer overrun and has led to several high-profile exploits and subsequent patches from several different software vendors.
An attacker can intentionally put a much larger than expected value for the size, which leads to a buffer overrun.
Whenever reading data from an untrusted external source, check it for validity.
In this case, it is usually appropriate to check the size to make sure it is in the expected range.
Example
Defective Source
char buff[80];
DWORD cbLen;
DWORD cbRead;
if (!ReadFile (hFile, &cbLen, sizeof (cbLen), &cbRead, NULL)) {
return;
}
if (!ReadFile (hFile, buff, cbLen, &cbRead, NULL)) { // error!
// Need to check that cbLen <= 80
return;
}
Corrected Source
char buff[80];
DWORD cbLen;
DWORD cbRead;
if (!ReadFile (hFile, &cbLen, sizeof (cbLen), &cbRead, NULL)) {
return;
}
if (cbLen > sizeof buff)) {
return; // Possibly after doing some error handling
}
if (!ReadFile (hFile, buff, cbLen, &cbRead, NULL)) {
return;
}
Send Feedback on this topic to the authors