CWE-839 – Numeric Range Comparison Without Minimum Check

Read Time:1 Minute, 58 Second

Description

The program checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-1023
CWE-195
CWE-682
CWE-119
CWE-124

 

Consequences

Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code or Commands

An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.

Availability: DoS: Resource Consumption (Other)

in some contexts, a negative value could lead to resource consumption.

Confidentiality, Integrity: Modify Memory, Read Memory

If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.

Phase: Implementation

Effectiveness:

Description: 

If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.

CVE References

 

  • CVE-2010-1866
    • Chain: integer overflow causes a negative signed value, which later bypasses a maximum-only check, leading to heap-based buffer overflow.
  • CVE-2009-1099
    • Chain: 16-bit counter can be interpreted as a negative value, compared to a 32-bit maximum value, leading to buffer under-write.
  • CVE-2011-0521
    • Chain: kernel’s lack of a check for a negative value leads to memory corruption.
  • CVE-2010-3704
    • Chain: parser uses atoi() but does not check for a negative value, which can happen on some platforms, leading to buffer under-write.
  • CVE-2010-2530
    • Chain: Negative value stored in an int bypasses a size check and causes allocation of large amounts of memory.
  • CVE-2009-3080
    • Chain: negative offset value to IOCTL bypasses check for maximum index, then used as an array index for buffer under-read.
  • CVE-2008-6393
    • chain: file transfer client performs signed comparison, leading to integer overflow and heap-based buffer overflow.
  • CVE-2008-4558
    • chain: negative ID in media player bypasses check for maximum index, then used as an array index for buffer under-read.