VariantDraft

CWE-196Unsigned to Signed Conversion Error

Category: other

Description

The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive. Although less frequent an issue than signed-to-unsigned conversion, unsigned-to-signed conversion can be the perfect precursor to dangerous buffer underwrite conditions that allow attackers to move down the stack where they otherwise might not have access in a normal buffer overflow condition. Buffer underwrites occur frequently when large unsigned values are cast to signed values, and then used as indexes into a buffer or for pointer arithmetic.

Common consequences· 3

  • Availability — DoS: Crash, Exit, or Restart
    Incorrect sign conversions generally lead to undefined behavior, and therefore crashes.
  • Integrity — Modify Memory
    If a poor cast lead to a buffer overflow or similar condition, data integrity may be affected.
  • Integrity / Confidentiality / Availability / Access Control — Execute Unauthorized Code or Commands, Bypass Protection Mechanism
    Improper signed-to-unsigned conversions without proper checking can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.

Potential mitigations· 3

  • [Requirements]Choose a language which is not subject to these casting flaws.
  • [Architecture and Design]Design object accessor functions to implicitly check values for valid sizes. Ensure that all functions which will be used as a size are checked previous to use as a size. If the language permits, throw exceptions rather than using in-band errors.
  • [Implementation]Error check the return values of all functions. Be aware of implicit casts made, and use unsigned variables for sizes if at all possible.

Related CAPEC attack patterns· 1

CAPEC-92

References

  1. https://cwe.mitre.org/data/definitions/196.html

Exploits (incoming)1

TypeTargetConfidenceTier
AttackPatternForced Integer Overflowcapec-92100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Signed to Unsigned Conversion Error
CWE
Integer Overflow to Buffer Overflow
CWE
Buffer Access with Incorrect Length Value
CWE
Use of Out-of-range Pointer Offset
CWE
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.