Buffer Overflow (BOF) Class
We define Buffer Overflow (BOF) as:
The software accesses through an array a memory location that is outside the boundaries
of that array. 
Often referred to as a "buffer," an array is a contiguously allocated set of objects , called elements. An array has a definite size, that is, a definite number of elements
are allocated to it. The software should not use the array name to access anything
outside the boundary of the allocated elements. The elements are all of the same data
type and are accessed by integer offsets.
If the software can utilize the array name (more generally, array handle) to access
any memory other than the allocated objects, it falls into this class.
Low-level (language related).
Fig. 1 depicts BOF causes, attributes and consequences.
Buffer Overflow (BOF) Class
- click on image for detailed view.
This is the access operation causing buffer overflow.
This indicated which end of the array is violated.
This indicates what part of memory the array is allocated in.
Magnitude - Small, Moderate, Far.
This indicates how far outside the boundary the violation extends – one to a few bytes;
eight to dozens bytes; or hundreds, thousands or more bytes.
Data Size - Little, Some, Huge.
This indicates how much data is accessed beyond the boundary.
Excursion - Continuous, Discrete.
This indicates whether the violating access was preceded by consecutive accesses of
elements within the array (continuous) or the violation was just accessing outside
of the array (discrete).
Any of the attributes may be "any," "don't care" or "unknown." For example, strict
bounds checking is equally effective regardless of the location, magnitude, data size
or excursion of the violation. Keeping return addresses in a separate stack helps
prevent problems occurring from write accesses when the array location is the stack.
In the graph of causes, Data Exceeds Array may be caused by an Input [that is] Not Checked Properly or by an Incorrect Calculation. The specific cases of Data Exceeds Array are Array Too Small and Too Much Data. Too Much Data may be caused by No NULL Termination. Wrong Index [or] Pointer Out of Range may be caused by Incorrect Calculation, too, or by an Incorrect Conversion.
The specific cases of Incorrect Calculation are Missing Factor, Incorrect Argument, Off By One, Integer Coercion, Integer Overflow, Wrap-around and Integer Underflow.
Array Too Small indicates the array was allocated smaller than it should have been. This may occur
because the programmer leaves out a factor, like the size of a header, uses the wrong
variable, or forgets room for a null to terminate a string.
Too Much Data indicates more data is accessed than was anticipated. This may occur because the
string is not NULL terminated or the amount of data is calculated differently than
the size of the buffer (e.g. Heartbleed).
Exposition: When we examine code, we can say in some cases that the programmer allocated
the array too small, such as in CVE-2015-0235 - Ghost. The code computes the size
of a buffer needed, but leaves out one factor, which makes the buffer four bytes short.
In other cases, too much data was accessed, such as in CVE-2014-0160 - Heartbleed.
A string was stored in an array, but instead of computing the length of the string,
the code used a length from the input, which was not checked against the string. This
can cause the code to read far more from the buffer than was allocated. In both cases,
the size of the data exceeds the size of the array. Just looking at the code, it may
be difficult to determine which case it is - it needs semantic content. That's why
the two are sub-causes of one cause.
The graph of consequences shows what could happen due to the fault. Resource Exhaustion refers to Memory and CPU.
BOF may occur at the use of
[ ] or the use of unary
* operator with arrays in the C language. Sites also include the use of many string
library functions, such as
Related BF Classes
BF classes related to BOF are: IEX, ATN, <<content to be added>>.
Related CWEs and SFP
CWEs related to BOF are CWE-118, CWE-119, CWE-120, CWE-121, CWE-122, CWE-123, CWE-124, CWE-125, CWE-126, CWE-127, CWE-129, CWE-680, CWE-786, CWE-787, CWE-788, CWE-823.
BF BOF description of these CWEs are provided here.
BF Descriptions of BOF Related CWEs are provided here.
Application examples are provided here.