"Buffer overflow" term considered overloaded

["Steven M. Christey" <coley () mitre org>]

In "Re: IE ActiveX 0day?" to Bugtraq on September 18, Alexander
Sotirov asked:

> What is your definition of memory corruption? How can a buffer
> overflow not be a memory corruption error?

The term "buffer overflow" continues to be too general for the variety
of issues out there.  Array index/offset errors, buffer "underflows,"
out-of-bounds reads, frees of invalid pointers, length field
inconsistencies, off-by-ones, insufficient memory allocation that is
resultant from integer overflows, other kinds of incorrect size
calculations, and other problems all involve memory access outside of
expected boundaries, so they are called "buffer overflows."  But they
are different than the "classic" overflows that strcpy() is known for.
And the term is interchangeably used for attacks, results/impacts, and
programming bugs.

Terminology has not evolved to cope with all the variety, so "memory
corruption" is acting as a placeholder in some cases.

I have some preliminary thoughts on how to do more precise
classification, but they're not ready for prime time, so people can
contact me privately if they're interested.

- Steve