CWE
Home > CWE List > CWE-196 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-196 Individual Dictionary Definition (Draft 9)

Unsigned to Signed Conversion Error
Weakness ID
Status: Draft

196 (Weakness Variant)

Description

Summary

An unsigned-to-signed conversion error takes place when a large unsigned primitive is used as a signed value.

Likelihood of Exploit

Medium

Common Consequences

Availability: Incorrect sign conversions generally lead to undefined behavior, and therefore crashes.

Integrity: If a poor cast lead to a buffer overflow or similar condition, data integrity may be affected.

Access control (instruction processing): Improper signed-to-unsigned conversions without proper checking can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.

Potential Mitigations

Requirements specification: Choose a language which is not subject to these casting flaws.

Design: Design object accessor functions to implicitly check values for valid sizes. Ensure that all functions which will be used as a size are checked previous to use as a size. If the language permits, throw exceptions rather than using in-band errors.

Implementation: Error check the return values of all functions. Be aware of implicit casts made, and use unsigned variables for sizes if at all possible.

Demonstrative
Examples

In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed:

int returnChunkSize(void *) {
  /* if chunk info is valid, return the size of usable memory,
  * else, return -1 to indicate an error
  */
  ...
}
int main() {
  ...
  memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));
  ...
}

If returnChunkSize() happens to encounter an error, and returns -1, memcpy will assume that the value is unsigned and therefore interpret it as MAXINT-1, therefore copying far more memory than is likely available in the destination buffer.

Context Notes

Often, functions will return negative values to indicate a failure state. In the case of functions which return values which are meant to be used as sizes, negative return values can have unexpected results. If these values are passed to the standard memory copy or allocation functions, they will implicitly cast the negative error-indicating value to a large unsigned value. In the case of allocation, this may not be an issue; however, in the case of memory and string copy functions, this can lead to a buffer overflow condition which may be exploitable. Also, if the variables in question are used as indexes into a buffer, it may result in a buffer underflow condition.

Although less frequent an issue than signed-to-unsigned casting, unsigned-to-signed casting can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition. Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic.

Relationships
NatureTypeIDName
ChildOfWeakness BaseWeakness BaseWeakness Base681Incorrect Conversion between Numeric Types
ChildOfCategoryCategory189Numeric Errors
CanAlsoBeWeakness BaseWeakness BaseWeakness Base124Boundary Beginning Violation ('Buffer Underwrite')
CanAlsoBeCompound Element: CompositeCompound Element: Composite120Unbounded Transfer ('Classic Buffer Overflow')
CanAlsoBeCategoryCategory192Integer Coercion Error
CanAlsoBeWeakness BaseWeakness BaseWeakness Base197Numeric Truncation Error
Source Taxonomies

CLASP - Unsigned to signed conversion error

Applicable Platforms

C

C++

Time of Introduction

Implementation

Related Attack Patterns
CAPEC-IDAttack Pattern Name
92Forced Integer Overflow
Page Last Updated: April 22, 2008