Live Active security incident? Get immediate response
CWE Reference

CWE-464: Addition of Data Structure Sentinel

Official CWE-464 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.

Release 4.20weaknessIncomplete
Search CWE CWE Dictionary

Glexia's Take

CWE-464: Addition of Data Structure Sentinel

Addition of Data Structure Sentinel represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Integrity: Modify Application Data: Generally this error will cause the data structure to not work properly by truncating the data.

Developer Pattern

CWE-464 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Confidence

high confidence from CWE-464, 4.20.

Official CWE Definition

CWE-464: Addition of Data Structure Sentinel

The accidental addition of a data-structure sentinel can cause serious programming logic problems.

Data-structure sentinels are often used to mark the structure of data. A common example of this is the null character at the end of strings or a special sentinel to mark the end of a linked list. It is dangerous to allow this type of control data to be easily accessible. Therefore, it is important to protect from the addition or modification of sentinels.

Type
weakness
Abstraction
Base
Status
Incomplete
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • The following example assigns some character values to a list of characters and prints them each individually, and then as a string. The third character value is intended to be an integer taken from user input and converted to an int. The first print statement will print each character separated by a space. However, if a NULL byte is read from stdin by fgetc, then it will return 0. When foo is printed as a string, the 0 at character foo[2] will act as a NULL terminator, and the second printf() statement will not print foo[3].

Remediation

  • Implementation,Architecture and Design: Encapsulate the user from interacting with data sentinels. Validate user input to verify that sentinels are not present.
  • Implementation: Proper error checking can reduce the risk of inadvertently introducing sentinel values into data. For example, if a parsing function fails or encounters an error, it might return a value that is the same as the sentinel.
  • Architecture and Design: Use an abstraction library to abstract away risky APIs. This is not a complete solution.
  • Operation: Use OS-level preventative functionality. This is not a complete solution.

Detection

  • Code review
  • SAST
  • DAST
  • Focused regression tests

Mappings

Related CVEs, CWEs, and ATT&CK context

Related CWEs

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

Open CWE CVE mapping

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.