BF Specification of CVE-2013-4930

Missing verification on the range for the user-controlled 'len_field' (0, but must be at least 1) results in a wrong value, which becomes a wrong argument for the subtraction ‘-‘ operator in 'len_field-1'. The result is -1 and the sign is flipped; as 'body_len' is unsigned integer, the ‘=’ operator coerces the passed-out result to a distorted value (UINT_MAX), which when used to allocate memory on the heap leads to memory overflow. If exploited, this can lead to denial of service – assertion failure and application exit.



Bug ReportCode with BugCode with FixNVD Entry
DVRData are verified (semantics check) or corrected (assign, remove) improperly.
TCMAn arithmetic expression (over numbers, strings, or pointers) is calculated improperly, or a boolean condition is evaluated improperly.
TCVData are converted or coerced into other type improperly.
MMNAn object is allocated, deallocated, or resized improperly.
VerifyCheck data semantics (proper value/meaning) in order to accept (and possibly correct) or reject it.
CalculateFind the result of a numeric, pointer, or string operation.
CoerceImplicitly (forced by the Type System) convert the value of a passed in/out argument or the return into the corresponding parameter or return data type. (Type Coercion is known also as Type Juggling.
AllocateReserve space in memory for an object; defines its initial boundaries and size.
Code Defect BugThe operation has a bug, which is the first cause for the chain of weaknesses underlying a software security vulnerability. The bug must be fixed to resolve the vulnerability.
   Missing CodeThe entire operation implementation or a part of its specification is absent.
Data Error/FaultThe object data has harmed semantics or inconsistent or wrong value
   Wrong ValueData value is not accurate value (e.g., outside of a range).
   Wrong ArgumentInaccurate input data value, i.e., non-verified for harmed semantics.
   Flipped SignSign bit is overwritten from type related calculation.
   Distorted ValueIncorrect value (although fits type size) due to sign flip or signed/unsigned and vice versa conversions.
   Wrong SizeThe value used as size does not match the actual size of the object.
Memory Corruption/Disclosure Final ErrorAn exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Memory OverflowMore memory is requested than available.
Operation AttributeDefinition
MechanismShows how the buggy/faulty operation code is performed.
   RangeChecking data are within a (min, max) interval.
   OperatorA function with a symbolic name that implements a mathematical, relational or logical operation.
   Pass OutSupplying "out" or "in/out" arguments' data values or a return value to a function/ operator.
   ExplicitThe operation is performed by a function/method call.
Source CodeShows where the buggy/faulty operation code is in the program -- in what kind of software.
   CodebaseThe operation is in the programmer's code - in the application itself.
Execution SpaceShows where the buggy/faulty operation code is running or with what privilege level).
   LocalThe bugged code runs in an environment with access control policy with limited (local user) permission.
   UserlandThe bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture).
Operand AttributeDefinition
Data StateShows where the data come from.
   StoredThe data are from a permanent storage (e.g., file, database on a storage device).
Name StateShows at what stage the entity name is.
   BoundThe name is linked to a declared (or inferred) data type, a defined object's data, or a called function implementation.
Data KindShows what the data value is.
   NumericA number -- a sequence of digits.
Type KindShows what the data type composition is.
   PrimitiveA scalar data type that mimics the hardware units - e.g., int (long, short, signed), float, double, string, Boolean. A primitive data type is only language defined and is not built from other data types.
Address StateShows where the address is in the memory layout.
   HeapThe object is a dynamically allocated data structure (e.g., via malloc() and new).