{"@ID": "464", "@Name": "Addition of Data Structure Sentinel", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The accidental addition of a data-structure sentinel can cause serious programming logic problems.", "Extended_Description": "Data-structure sentinels are often used to mark the structure of data. A common example of this is the null character at the end of strings or a special sentinel to mark the end of a linked list. It is dangerous to allow this type of control data to be easily accessible. Therefore, it is important to protect from the addition or modification of sentinels.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "138", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": [{"@Name": "C", "@Prevalence": "Undetermined"}, {"@Name": "C++", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation"}}, "Likelihood_Of_Exploit": "High", "Common_Consequences": {"Consequence": {"Scope": "Integrity", "Impact": "Modify Application Data", "Note": "Generally this error will cause the data structure to not work properly by truncating the data."}}, "Potential_Mitigations": {"Mitigation": [{"Phase": ["Implementation", "Architecture and Design"], "Description": "Encapsulate the user from interacting with data sentinels. Validate user input to verify that sentinels are not present."}, {"Phase": "Implementation", "Description": "Proper error checking can reduce the risk of inadvertently introducing sentinel values into data. For example, if a parsing function fails or encounters an error, it might return a value that is the same as the sentinel."}, {"Phase": "Architecture and Design", "Description": "Use an abstraction library to abstract away risky APIs. This is not a complete solution."}, {"Phase": "Operation", "Description": "Use OS-level preventative functionality. This is not a complete solution."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-228", "Intro_Text": "The following example assigns some\n               character values to a list of characters and prints\n               them each individually, and then as a string. The third\n               character value is intended to be an integer taken from\n               user input and converted to an int. The first print\n               statement will print each character separated by a\n               space.", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null], "#text": "char *foo;\n\t\t\t\t   foo=malloc(sizeof(char)*5);\n\t\t\t\t   foo[0]='a';\n\t\t\t\t   foo[1]='a';\n\t\t\t\t   foo[2]=fgetc(stdin);\n\t\t\t\t   foo[3]='c';\n\t\t\t\t   foo[4]='\\0';\n\t\t\t\t   printf(\"%c %c %c %c %c \\n\",foo[0],foo[1],foo[2],foo[3],foo[4]);\n\t\t\t\t   printf(\"%s\\n\",foo);"}}, "Body_Text": "However, if a NULL byte is read from stdin\n               by fgetc, then it will return 0. When foo is printed as\n               a string, the 0 at character foo[2] will act as a NULL\n               terminator, and the second printf() statement will\n\t\t\t   not print foo[3]."}}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "CLASP", "Entry_Name": "Addition of data-structure sentinel"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "STR03-C", "Entry_Name": "Do not inadvertently truncate a null-terminated byte string"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "STR06-C", "Entry_Name": "Do not assume that strtok() leaves the parse string unchanged"}]}, "References": {"Reference": {"@External_Reference_ID": "REF-18"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "CLASP", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-07-27", "Modification_Version": "1.5", "Modification_ReleaseDate": "2009-07-27", "Modification_Comment": "updated Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-27", "Modification_Version": "2.0", "Modification_ReleaseDate": "2011-06-27", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-09-13", "Modification_Version": "2.1", "Modification_ReleaseDate": "2011-09-13", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Demonstrative_Examples, Likelihood_of_Exploit, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-04-03", "Modification_Version": "4.17", "Modification_ReleaseDate": "2025-04-03", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Demonstrative_Examples, Weakness_Ordinalities"}], "Contribution": {"@Type": "Content", "Contribution_Name": "Jason Xu", "Contribution_Date": "2024-07-20", "Contribution_Version": "4.17", "Contribution_ReleaseDate": "2025-04-03", "Contribution_Comment": "Reported compilation error with demonstrative example."}, "Previous_Entry_Name": {"@Date": "2008-04-11", "#text": "Addition of Data-structure Sentinel"}}}
