Unsigned to Signed Conversion Error |
Weakness ID: 196 (Weakness Variant) | Status: Draft |
Description Summary
Scope | Effect |
---|---|
Availability | Incorrect sign conversions generally lead to undefined behavior, and therefore crashes. |
Integrity | If a poor cast lead to a buffer overflow or similar condition, data integrity may be affected. |
Integrity | Improper signed-to-unsigned conversions without proper checking can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. |
Example 1
In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed:
If returnChunkSize() happens to encounter an error, and returns -1, memcpy will assume that the value is unsigned and therefore interpret it as MAXINT-1, therefore copying far more memory than is likely available in the destination buffer.
Requirements specification: Choose a language which is not subject to these casting flaws. |
Phase: Architecture and Design Design object accessor functions to implicitly check values for valid sizes. Ensure that all functions which will be used as a size are checked previous to use as a size. If the language permits, throw exceptions rather than using in-band errors. |
Phase: Implementation Error check the return values of all functions. Be aware of implicit casts made, and use unsigned variables for sizes if at all possible. |
Often, functions will return negative values to indicate a failure state. In the case of functions which return values which are meant to be used as sizes, negative return values can have unexpected results. If these values are passed to the standard memory copy or allocation functions, they will implicitly cast the negative error-indicating value to a large unsigned value. In the case of allocation, this may not be an issue; however, in the case of memory and string copy functions, this can lead to a buffer overflow condition which may be exploitable. Also, if the variables in question are used as indexes into a buffer, it may result in a buffer underflow condition. Although less frequent an issue than signed-to-unsigned casting, unsigned-to-signed casting can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition. Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 681 | Incorrect Conversion between Numeric Types | Development Concepts (primary)699 Research Concepts (primary)1000 |
CanAlsoBe | Weakness Base | 120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Research Concepts1000 |
CanAlsoBe | Weakness Base | 124 | Buffer Underwrite ('Buffer Underflow') | Research Concepts1000 |
CanAlsoBe | Category | 192 | Integer Coercion Error | Research Concepts1000 |
CanAlsoBe | Weakness Base | 197 | Numeric Truncation Error | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
CLASP | Unsigned to signed conversion error |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
92 | Forced Integer Overflow |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Common Consequences, Relationships, Other Notes, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Common Consequences |