CWE - CWE-195: Signed to Unsigned Conversion Error (Draft 9)

Home > CWE List > CWE-195 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-195 Individual Dictionary Definition (Draft 9)

Weakness ID

Status: Draft

195 (Weakness Variant)

Description

Summary

A signed-to-unsigned conversion error takes place when a signed primitive is used as an unsigned value, usually as a size variable.

Common Consequences

Conversion between signed and unsigned values can lead to a variety of errors, but from a security standpoint is most commonly associated with integer overflow and buffer overflow vulnerabilities.

Demonstrative
Examples

In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned.

unsigned int readdata () {
  int amount = 0;
  ...
  if (result == ERROR)
    amount = -1;
  ...
  return amount;
}

If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system uses 32-bit integers.

In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number.

unsigned int readdata () {
  int amount = 0;
  ...
  amount = accessmainframe();
  ...
  return amount;
}

If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

Observed Examples

Reference	Description
CVE-2007-4268	Chain: integer signedness passes signed comparison, leads to heap overflow

Context Notes

It is dangerous to rely on implicit casts between signed and unsigned numbers because the result can take on an unexpected value and violate weak assumptions made elsewhere in the program.

Relationships

Nature	Type	ID	Name
ChildOf	Weakness Base	681	Incorrect Conversion between Numeric Types
ChildOf	Category	189	Numeric Errors
CanPrecede	Weakness Variant	122	Heap-based Buffer Overflow
CanAlsoBe	Category	192	Integer Coercion Error
CanAlsoBe	Weakness Base	197	Numeric Truncation Error

Source Taxonomies

CLASP - Signed to unsigned conversion error

Applicable Platforms

C++

Time of Introduction

Implementation

Page Last Updated: April 22, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us