CWE-120 is the MITRE identifier for Classic Buffer Overflow — copying data into a buffer without checking whether it fits. It is the parent class for stack-based (CWE-121) and heap-based (CWE-122) overflows, and one of the most exploited memory safety vulnerabilities in C and C++ code.
CWE-120 occurs when software copies data into a buffer of fixed size without verifying that the data fits. The copy overwrites adjacent memory, which can corrupt program state, overwrite return addresses on the stack, or corrupt heap allocator metadata.
The official CWE entry is maintained by MITRE at cwe.mitre.org/data/definitions/120.html.
| Risky pattern | Safe pattern | Why |
|---|---|---|
| strcpy(dest, src) | strlcpy(dest, src, sizeof(dest)) | Explicit size limit prevents overflow |
| sprintf(buf, fmt, ...) | snprintf(buf, sizeof(buf), fmt, ...) | snprintf respects buffer size |
| gets(buf) | fgets(buf, sizeof(buf), stdin) | fgets enforces max length |
| strcat(dest, src) | strncat(dest, src, sizeof(dest)-strlen(dest)-1) | Bounded append |
Semgrep rule for unsafe strcpy in C:
rules:
- id: unsafe-strcpy
pattern: strcpy($DEST, $SRC)
message: >
strcpy does not check destination buffer size (CWE-120).
Use strlcpy or strncpy with an explicit size limit.
severity: ERROR
languages: [c, cpp]Browse available rules at semgrep.dev/r?q=buffer-overflow.
A classic stack smashing attack overwrites the return address with the address of attacker-controlled shellcode:
char buf[64]; // Vulnerable: no size check — input longer than 64 bytes overwrites stack strcpy(buf, user_input); // Attacker sends 72 bytes: 64 bytes of padding + 8 bytes to overwrite return address
What is CWE-120?
CWE-120 is Classic Buffer Overflow: the product copies data into a buffer without checking whether it fits, overwriting adjacent memory. It is the parent CWE for CWE-121 (stack-based) and CWE-122 (heap-based) buffer overflows.
How dangerous is CWE-120?
High to critical. Exploitation can lead to arbitrary code execution, privilege escalation, or denial of service. Stack overflows often overwrite return addresses; heap overflows can corrupt allocator metadata.
What C functions cause CWE-120?
strcpy(), strcat(), sprintf(), gets(), and scanf() with %s and no width specifier are the most common. All accept input of arbitrary length without a bound check.
How do you fix CWE-120?
Replace strcpy with strlcpy or strncpy (with explicit size). Replace sprintf with snprintf. Replace gets with fgets. Always specify a maximum length equal to the destination buffer size minus 1.
Can Semgrep detect CWE-120?
Yes. Semgrep flags calls to strcpy(), gets(), sprintf(), and strcat() in C. See semgrep.dev/r?q=buffer-overflow for available rules.
What is the difference between CWE-120, CWE-121, and CWE-122?
CWE-120 is the general class. CWE-121 is stack-based buffer overflow (return address overwrite). CWE-122 is heap-based buffer overflow (allocator metadata corruption). CWE-120 is the parent in the CWE hierarchy.
For in-depth examples, detection patterns, and real-world case studies of buffer overflow fixes in open-source C projects, see the full buffer overflow hub.