[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97389

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Numeric Range Comparison Without Minimum Check

ID: 839Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

The program checks a value to ensure that it does not exceed a maximum, but it does not verify that the value exceeds the minimum.

Extended Description

Some programs use signed integers or floats even when their values are only expected to be positive or 0. An input validation check might assume that the value is positive, and only check for the maximum value. If the value is negative, but the code assumes that the value is positive, this can produce an error. The error may have security consequences if the negative value is used for memory allocation, array access, buffer access, etc. Ultimately, the error could lead to a buffer overflow or other type of memory corruption.

The use of a negative number in a positive-only context could have security implications for other types of resources. For example, a shopping cart might check that the user is not requesting more than 10 items, but a request for -3 items could cause the application to calculate a negative price and credit the attacker's account.

Applicable Platforms
Language: C
Language: Often
Language: C++
Language: Often

Common Consequences

ScopeTechnical ImpactNotes
Integrity
Confidentiality
Availability
 
Modify application data
Execute unauthorized code or commands
 
An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.
 
Availability
 
DoS: resource consumption (other)
 
in some contexts, a negative value could lead to resource consumption.
 
Confidentiality
Integrity
 
Modify memory
Read memory
 
If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
Enforcement by Conversion
 
If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.
 
  
Implementation
 
Input Validation
 
If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.
 
  

Relationships

Related CWETypeViewChain
CWE-839 CanPrecede CWE-124 Weakness CWE-1000  

Demonstrative Examples   (Details)

  1. In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method (Demonstrative Example Id DX-100)
  2. The following code is intended to read an incoming packet from a socket and extract one or more headers. (Demonstrative Example Id DX-21)
  3. The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data. (Demonstrative Example Id DX-23)
  4. The following code shows a simple BankAccount class with deposit and withdraw methods.

Observed Examples

  1. CVE-2010-1866 : Chain: integer overflow causes a negative signed value, which later bypasses a maximum-only check, leading to heap-based buffer overflow.
  2. CVE-2009-1099 : Chain: 16-bit counter can be interpreted as a negative value, compared to a 32-bit maximum value, leading to buffer under-write.
  3. CVE-2011-0521 : Chain: kernel's lack of a check for a negative value leads to memory corruption.
  4. CVE-2010-3704 : Chain: parser uses atoi() but does not check for a negative value, which can happen on some platforms, leading to buffer under-write.
  5. CVE-2010-2530 : Chain: Negative value stored in an int bypasses a size check and causes allocation of large amounts of memory.
  6. CVE-2009-3080 : Chain: negative offset value to IOCTL bypasses check for maximum index, then used as an array index for buffer under-read.
  7. CVE-2008-6393 : chain: file transfer client performs signed comparison, leading to integer overflow and heap-based buffer overflow.
  8. CVE-2008-4558 : chain: negative ID in media player bypasses check for maximum index, then used as an array index for buffer under-read.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:

  1. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 6, "Type Conversion Vulnerabilities" Page 246.'. Published on 2006.
  2. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 6, "Comparisons", Page 265.'. Published on 2006.

© 2013 SecPod Technologies