In
computer security and
programming, a buffer over-read is an
anomaly where a
program
Program, programme, programmer, or programming may refer to:
Business and management
* Program management, the process of managing several related projects
* Time management
* Program, a part of planning
Arts and entertainment Audio
* Programm ...
, while reading
data from a
buffer
Buffer may refer to:
Science
* Buffer gas, an inert or nonflammable gas
* Buffer solution, a solution used to prevent changes in pH
* Buffering agent, the weak acid or base in a buffer solution
* Lysis buffer, in cell biology
* Metal ion buffer ...
, overruns the buffer's boundary and reads (or tries to read) adjacent memory. This is a special case of violation of
memory safety.
Buffer over-reads can be triggered, as in the
Heartbleed bug, by maliciously crafted inputs that are designed to exploit a lack of
bounds checking
In computer programming, bounds checking is any method of detecting whether a variable is within some bounds before it is used. It is usually used to ensure that a number fits into a given type (range checking), or that a variable being used as ...
to read parts of memory not intended to be accessible. They may also be caused by programming errors alone. Buffer over-reads can result in erratic program behavior, including
memory access errors, incorrect results, a
crash
Crash or CRASH may refer to:
Common meanings
* Collision, an impact between two or more objects
* Crash (computing), a condition where a program ceases to respond
* Cardiac arrest, a medical condition in which the heart stops beating
* Couch ...
, or a breach of system security. Thus, they are the basis of many
software vulnerabilities
Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...
and can be maliciously
exploited to access privileged information.
Programming languages commonly associated with buffer over-reads include
C and
C++
C, or c, is the third letter in the Latin alphabet, used in the modern English alphabet, the alphabets of other western European languages and others worldwide. Its name in English is ''cee'' (pronounced ), plural ''cees''.
History
"C" ...
, which provide no built-in protection against using
pointers
Pointer may refer to:
Places
* Pointer, Kentucky
* Pointers, New Jersey
* Pointers Airport, Wasco County, Oregon, United States
* The Pointers, a pair of rocks off Antarctica
People with the name
* Pointer (surname), a surname (including a ...
to access data in any part of
virtual memory
In computing, virtual memory, or virtual storage is a memory management technique that provides an "idealized abstraction of the storage resources that are actually available on a given machine" which "creates the illusion to users of a very l ...
, and which do not automatically check that reading data from a block of memory is safe; respective examples are attempting to read more elements than contained in an array, or failing to append a trailing terminator to a
null-terminated string.
Bounds checking
In computer programming, bounds checking is any method of detecting whether a variable is within some bounds before it is used. It is usually used to ensure that a number fits into a given type (range checking), or that a variable being used as ...
can prevent buffer over-reads,
while
fuzz testing
Fuzz may refer to:
* ''Fuzz'' (film), a 1972 American comedy
* '' Fuzz: When Nature Breaks the Law'', a nonfiction book by Mary Roach
* The fuzz, a slang term for police officers
Music
* Fuzz (electric guitar), distortion effects to create "w ...
can help detect them.
See also
*
Buffer overflow
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memor ...
*
Computer security
*
Type safety
References
External links
PHP DateInterval Heap Buffer Overread Denial of ServicePHP Bug #66060: Heap buffer over-read in DateInterval
Software bugs
Computer memory
Computer security exploits
{{Computer-security-stub