CWE-681 数值类型间的不正确转换
Incorrect Conversion between Numeric Types
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: High
基本描述
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 704 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 704 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 682 cwe_View_ID: 1000
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Other', 'Integrity'] | ['Unexpected State', 'Quality Degradation'] | The program could wind up using the wrong number and generate incorrect results. If the number is used to allocate resources or make a security decision, then this could introduce a vulnerability. |
可能的缓解方案
Implementation
策略:
Avoid making conversion between numeric types. Always check for the allowed ranges.
示例代码
例
In the following Java example, a float literal is cast to an integer, thus causing a loss of precision.
bad Java
例
This code adds a float and an integer together, casting the result to an integer.
bad PHP
$intVal = 3;
$result = (int)$floatVal + $intVal;
Normally, PHP will preserve the precision of this operation, making $result = 4.8345. After the cast to int, it is reasonable to expect PHP to follow rounding convention and set $result = 5. However, the explicit cast to int always rounds DOWN, so the final value of $result is 4. This behavior may have unintended consequences.
例
In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned.
bad C
...
if (result == ERROR)
amount = -1;
...
return amount;
}
If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.
例
In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number.
bad C
...
amount = accessmainframe();
...
return amount;
}
If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2007-4268 | Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122) | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4268 |
| CVE-2007-4988 | Chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988 |
| CVE-2009-0231 | Integer truncation of length value leads to heap-based buffer overflow. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0231 |
| CVE-2008-3282 | Size of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3282 |
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CERT C Secure Coding | FLP34-C | CWE More Abstract | Ensure that floating point conversions are within range of the new type |
| CERT C Secure Coding | INT15-C | Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types | |
| CERT C Secure Coding | INT31-C | CWE More Abstract | Ensure that integer conversions do not result in lost or misinterpreted data |
| CERT C Secure Coding | INT35-C | Evaluate integer expressions in a larger size before comparing or assigning to that size | |
| The CERT Oracle Secure Coding Standard for Java (2011) | NUM12-J | Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data | |
| Software Fault Patterns | SFP1 | Glitch in computation | |
| OMG ASCSM | ASCSM-CWE-681 |
引用
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论