CWE - CWE-128: Wrap-around Error (1.0.1)

Home > CWE List > CWE- Individual Dictionary Definition (1.0.1)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-128: Wrap-around Error

Individual Definition in a New Window

Wrap-around Error

Status: Incomplete

Weakness ID: 128 (Weakness Base)

Description

Summary

Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.

Likelihood of Exploit

Medium

Weakness Ordinalities

Primary (where the weakness exists independent of other weaknesses)

Causal Nature

Explicit (an explicit weakness resulting from behavior of the developer)

Common Consequences

Availability

Wrap-around errors generally lead to undefined behavior, infinite loops, and therefore crashes.

Integrity

If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.

Access control (instruction processing): A wrap around can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.

Potential Mitigations

Requirements specification: The choice could be made to use a language that is not susceptible to these issues.

Architecture and Design

Provide clear upper and lower bounds on the scale of any protocols designed.

Implementation

Place sanity checks on all incremented variables to ensure that they remain within reasonable bounds.

Background Details

Due to how addition is performed by computers, if a primitive is incremented past the maximum value possible for its storage space, the system will fail to recognize this, and therefore increment each bit as if it still had extra space. Because of how negative numbers are represented in binary, primitives interpreted as signed may "wrap" to very large negative values.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	119	Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer	Development Concepts (primary)699 Research Concepts (primary)1000
PeerOf	Weakness Base	190	Integer Overflow (Wrap or Wraparound)	Research Concepts1000

Relationship Notes

The relationship between overflow and wrap-around needs to be examined more closely, since several entries (including CWE-190) are closely related.

Taxonomy Mappings

Mapped Taxonomy Name	Mapped Node Name
CLASP	Wrap-around error

Applicable Platforms

Languages

C (Often)

C++ (Often)

Time of Introduction

Implementation

Related Attack Patterns

CAPEC-ID	(CAPEC Version 1.1)Attack Pattern Name
92	Forced Integer Overflow

Content History

Submissions

CLASP. (Externally Mined)

Modifications

CWE Content Team. MITRE. 2008-09-08. (Internal)

updated Applicable_Platforms, Background_Details, Common_Consequences, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities

Page Last Updated: October 16, 2008


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us