|
|
|
|
CWE-196 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 196 (Weakness Variant) | | Description | Summary An unsigned-to-signed conversion error takes place when a large unsigned primitive is
used as a signed value. | | Likelihood of Exploit | Medium | | Common Consequences | Availability: Incorrect sign conversions generally lead to undefined behavior,
and therefore crashes. Integrity: If a poor cast lead to a buffer overflow or similar condition, data
integrity may be affected. Access control (instruction processing): Improper signed-to-unsigned
conversions without proper checking can sometimes trigger buffer overflows which can be used
to execute arbitrary code. This is usually outside the scope of a program's implicit security
policy. | | Potential Mitigations | Requirements specification: Choose a language which is not subject to these casting
flaws. Design: Design object accessor functions to implicitly check values for valid sizes.
Ensure that all functions which will be used as a size are checked previous to use as a size.
If the language permits, throw exceptions rather than using in-band errors. Implementation: Error check the return values of all functions. Be aware of implicit
casts made, and use unsigned variables for sizes if at all possible. | Demonstrative
Examples | In the following example, it is possible to request that memcpy move a much larger
segment of memory than assumed: int returnChunkSize(void *) {
/* if chunk info is valid, return the size of usable memory,
* else, return -1 to indicate an error
*/
...
}
int main() {
...
memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1));
...
} If returnChunkSize() happens to encounter an error, and returns -1, memcpy will
assume that the value is unsigned and therefore interpret it as MAXINT-1, therefore
copying far more memory than is likely available in the destination buffer. | | Context Notes | Often, functions will return negative values to indicate a failure state. In the case
of functions which return values which are meant to be used as sizes, negative return values can
have unexpected results. If these values are passed to the standard memory copy or allocation
functions, they will implicitly cast the negative error-indicating value to a large unsigned
value. In the case of allocation, this may not be an issue; however, in the case of memory and
string copy functions, this can lead to a buffer overflow condition which may be exploitable.
Also, if the variables in question are used as indexes into a buffer, it may result in a buffer
underflow condition. Although less frequent an issue than signed-to-unsigned casting, unsigned-to-signed
casting can be the perfect precursor to dangerous buffer underwrite conditions that allow
attackers to move down the stack where they otherwise might not have access in a normal buffer
overflow condition. Buffer underwrites occur frequently when large unsigned values are cast to
signed values, and then used as indexes into a buffer or for pointer arithmetic. | | Relationships | | | Source Taxonomies | CLASP - Unsigned to signed conversion error | | Applicable Platforms | C C++ | | Time of Introduction | Implementation | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 92 | Forced Integer Overflow |
|
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
