Signed to Unsigned Conversion ErrorID: 195 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
A signed-to-unsigned conversion error takes place when a signed
primitive is used as an unsigned value, usually as a size
variable.
Extended DescriptionIt is dangerous to rely on implicit casts between signed and unsigned
numbers because the result can take on an unexpected value and violate
assumptions made by the program.
Applicable PlatformsLanguage: CLanguage: C++
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
Integrity | Unexpected state | Conversion between signed and unsigned values can lead to a variety of
errors, but from a security standpoint is most commonly associated with
integer overflow and buffer overflow vulnerabilities. |
Detection MethodsNone
Potential MitigationsNone
Relationships
Related CWE | Type | View | Chain |
---|
CWE-195 ChildOf CWE-885 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In this example the variable amount can hold a negative value when
it is returned. Because the function is declared to return an unsigned int,
amount will be implicitly converted to unsigned. (Demonstrative Example Id DX-73)
- In this example, depending on the return value of
accecssmainframe(), the variable amount can hold a negative value when it is
returned. Because the function is declared to return an unsigned value,
amount will be implicitly cast to an unsigned number. (Demonstrative Example Id DX-74)
- The following code is intended to read an incoming packet from a
socket and extract one or more headers. (Demonstrative Example Id DX-21)
- This example processes user input comprised of a series of
variable-length structures. The first 2 bytes of input dictate the size of
the structure to be processed.
Observed Examples
- CVE-2007-4268 : Chain: integer signedness passes signed comparison, leads to heap overflow
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CLASP | | Signed to unsigned conversion error | |
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 6, "Type Conversions", Page 223.'. Published on 2006.