CWE
Home > CWE List > CWE-190 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-190 Individual Dictionary Definition (Draft 9)

Integer Overflow (Wrap or Wraparound)
Weakness ID
Status: Incomplete

190 (Weakness Base)

Description

Summary

An integer overflow condition exists when an integer that has not been properly sanity checked is used in the determination of an offset or size for memory allocation, copying, concatenation, or similarly. If the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing an unintended value.

Functional Area

Non-specific, memory management, counters

Likelihood of Exploit

Medium

Common Consequences

Availability: Integer overflows generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

Integrity: If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the integer overflow has resulted in a buffer overflow condition, data corruption will most likely take place.

Access control (instruction processing): Integer overflows can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.

Potential Mitigations

Pre-design: Use a language or compiler that performs automatic bounds checking.

Design: Use of sanity checks and assertions at the object level. Ensure that all protocols are strictly defined, such that all out of bounds behavior can be identified simply.

Pre-design through Build: Canary style bounds checking, library changes which ensure the validity of chunk data, and other such fixes are possible but should not be relied upon.

Use unsigned integers where possible

Demonstrative
Examples

The following code excerpt from OpenSSH 3.3 demonstrates a classic case of integer overflow:

nresp = packet_get_int();
if (nresp < 0) {
  response = xmalloc(nresp*sizeof(char*));
  for (i = 0; i > nresp; i++) response[i] = packet_get_string(NULL);
}

If nresp has the value 1073741824 and sizeof(char*) has its typical value of 4, then the result of the operation nresp*sizeof(char*) overflows, and the argument to xmalloc() will be 0. Most malloc() implementations will happily allocate a 0-byte buffer, causing the subsequent loop iterations to overflow the heap buffer response.

This example processes user input comprised of a series of variable-length structures. The first 2 bytes of input dictate the size of the structure to be processed.

char* processNext(char* strm) {
  char buf[512]; short len = *(short*) strm;
  strm += sizeof(len);
  if (len <= 512) {
    memcpy(buf, strm, len);
    process(buf);
    return strm + len;
  }
  else { return -1; }
}

The programmer has set an upper bound on the structure size: if it is larger than 512, the input will not be processed. The problem is that len is a signed integer, so the check against the maximum structure length is done with signed integers, but len is converted to an unsigned integer for the call to memcpy(). If len is negative, then it will appear that the structure has an appropriate size (the if branch will be taken), but the amount of memory copied by memcpy() will be quite large, and the attacker will be able to overflow the stack with data in strm.

Integer overflows can be complicated and difficult to detect. The following example is an attempt to show how an integer overflow may lead to undefined looping behavior:

C Example:

short int bytesRec = 0;
char buf[SOMEBIGNUM];

while(bytesRec < MAXGET) {
  bytesRec += getFromInput(buf+bytesRec);
}

In the above case, it is entirely possible that bytesRec may overflow, continuously creating a lower number than MAXGET and also overwriting the first MAXGET-1 bytes of buf.

Observed Examples
ReferenceDescription
CVE-2002-0391Integer overflow via a large number of arguments.
CVE-2005-1141Image with large width and height leads to integer overflow.
CVE-2005-0102Length value of -1 leads to allocation of 0 bytes and resultant heap overflow.
CVE-2004-2013Length value of -1 leads to allocation of 0 bytes and resultant heap overflow.
Context Notes

Terminology Note: "integer overflow" is used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context.

Integer overflows can be primary to buffer overflows.

References

Yves Younan. "An overview of common programming security vulnerabilities and possible solutions". Student thesis section 5.4.3. August 2003. <http://fort-knox.org/thesis.pdf>.

blexim. "Basic Integer Overflows". Phrack - Issue 60, Chapter 10. <http://www.phrack.org/archives/60/p60-0x0a.txt>.

Relationships
NatureTypeIDName
ChildOfCategoryCategory189Numeric Errors
CanPrecedeCompound Element: CompositeCompound Element: Composite120Unbounded Transfer ('Classic Buffer Overflow')
CanPrecedeWeakness VariantWeakness VariantWeakness Variant122Heap-based Buffer Overflow
PeerOfWeakness BaseWeakness BaseWeakness Base128Wrap-around Error
Source Taxonomies

PLOVER - Integer overflow (wrap or wraparound)

7 Pernicious Kingdoms - Integer Overflow

CLASP - Integer overflow

Time of Introduction

Implementation

Related Attack Patterns
CAPEC-IDAttack Pattern Name
92Forced Integer Overflow
Back to top
Page Last Updated: April 22, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us