Unexpected Sign Extension |
Weakness ID: 194 (Weakness Base) | Status: Incomplete |
Description Summary
Scope | Effect |
---|---|
Integrity Confidentiality Availability | When an unexpected sign extension occurs in code that operates directly on memory buffers, such as a size value or a memory index, then it could cause the program to write or read outside the boundaries of the intended buffer. If the numeric value is associated with an application-level resource, such as a quantity or price for a product in an e-commerce site, then the sign extension could produce a value that is much higher (or lower) than the application's allowable range. |
Example 1
The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.
Reference | Description |
---|---|
CVE-1999-0234 | Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection. |
CVE-2003-0161 | Product uses "char" type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error. |
CVE-2007-4988 | chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow. |
CVE-2006-1834 | chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier. |
CVE-2005-2753 | Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy. |
Phase: Implementation Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform sanity checks after you save those values to larger data types, or before passing them to functions that are expecting unsigned values. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 681 | Incorrect Conversion between Numeric Types | Development Concepts (primary)699 Research Concepts (primary)1000 |
CanAlsoBe | Category | 192 | Integer Coercion Error | Research Concepts1000 |
CanAlsoBe | Weakness Base | 197 | Numeric Truncation Error | Research Concepts1000 |
Sign extension errors can lead to buffer overflows and other memory-based problems. They are also likely to be factors in other weaknesses that are not based on memory operations, but rely on numeric calculation. |
John McDonald, Mark Dowd and Justin Schuh. "C Language Issues for Application Security". 2008-01-25. <http://www.informit.com/articles/article.aspx?p=686170&seqNum=6>. |
Robert Seacord. "Integral Security". 2006-11-03. <http://www.ddj.com/security/193501774>. |
This entry is closely associated with signed-to-unsigned conversion errors (CWE-195) and other numeric errors. These relationships need to be more closely examined within CWE. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Common Consequences, Description, Relationships, Taxonomy Mappings | ||||
2008-11-05 | CWE Content Team | MITRE | Internal | |
complete rewrite of the entire entry | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Demonstrative Examples, Description, Maintenance Notes, Name, Observed Examples, Potential Mitigations, References, Relationship Notes, Relationships | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Sign Extension Error | |||
2008-11-24 | Incorrect Sign Extension | |||