Description
The program checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.
Modes of Introduction:
Likelihood of Exploit:
Related Weaknesses
CWE-1023
CWE-195
CWE-682
CWE-119
CWE-124
Consequences
Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code or Commands
An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.
Availability: DoS: Resource Consumption (Other)
in some contexts, a negative value could lead to resource consumption.
Confidentiality, Integrity: Modify Memory, Read Memory
If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer.
Potential Mitigations
Phase: Implementation
Effectiveness:
Description:
If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.
Phase: Implementation
Effectiveness:
Description:
If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.
CVE References
- CVE-2010-1866
- Chain: integer overflow causes a negative signed value, which later bypasses a maximum-only check, leading to heap-based buffer overflow.
- CVE-2009-1099
- Chain: 16-bit counter can be interpreted as a negative value, compared to a 32-bit maximum value, leading to buffer under-write.
- CVE-2011-0521
- Chain: kernel’s lack of a check for a negative value leads to memory corruption.
- CVE-2010-3704
- Chain: parser uses atoi() but does not check for a negative value, which can happen on some platforms, leading to buffer under-write.
- CVE-2010-2530
- Chain: Negative value stored in an int bypasses a size check and causes allocation of large amounts of memory.
- CVE-2009-3080
- Chain: negative offset value to IOCTL bypasses check for maximum index, then used as an array index for buffer under-read.
- CVE-2008-6393
- chain: file transfer client performs signed comparison, leading to integer overflow and heap-based buffer overflow.
- CVE-2008-4558
- chain: negative ID in media player bypasses check for maximum index, then used as an array index for buffer under-read.
More Stories
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...
CWE-67 – Improper Handling of Windows Device Names
Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a...
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to...
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect...