CWE-1284 – Improper Validation of Specified Quantity in Input

Read Time:33 Second

Description

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-20

 

Consequences

Other: Varies by Context

Since quantities are used so often to affect resource allocation or process financial data, they are often present in many places in the code.

 

Potential Mitigations

Phase: Implementation

Effectiveness: High

Description: 

CVE References

  • CVE-2008-1440
    • lack of validation of length field leads to infinite loop
  • CVE-2008-2374
    • lack of validation of string length fields allows memory consumption or buffer over-read