CWE-839 未进行最小值检查的数值范围比较
Numeric Range Comparison Without Minimum Check
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: unkown
基本描述
The program checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.
扩展描述
Some programs use signed integers or floats even when their values are only expected to be positive or 0. An input validation check might assume that the value is positive, and only check for the maximum value. If the value is negative, but the code assumes that the value is positive, this can produce an error. The error may have security consequences if the negative value is used for memory allocation, array access, buffer access, etc. Ultimately, the error could lead to a buffer overflow or other type of memory corruption.
The use of a negative number in a positive-only context could have security implications for other types of resources. For example, a shopping cart might check that the user is not requesting more than 10 items, but a request for -3 items could cause the application to calculate a negative price and credit the attacker's account.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 1023 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 195 cwe_View_ID: 1000
-
cwe_Nature: CanPrecede cwe_CWE_ID: 682 cwe_View_ID: 1000
-
cwe_Nature: CanPrecede cwe_CWE_ID: 119 cwe_View_ID: 1000
-
cwe_Nature: CanPrecede cwe_CWE_ID: 124 cwe_View_ID: 1000
适用平台
Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Often'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Often'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Integrity', 'Confidentiality', 'Availability'] | ['Modify Application Data', 'Execute Unauthorized Code or Commands'] | An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands. |
| Availability | DoS: Resource Consumption (Other) | in some contexts, a negative value could lead to resource consumption. |
| ['Confidentiality', 'Integrity'] | ['Modify Memory', 'Read Memory'] | If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer. |
可能的缓解方案
Implementation
策略: Enforcement by Conversion
If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.
Implementation
策略: Input Validation
If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.
示例代码
例
The following code is intended to read an incoming packet from a socket and extract one or more headers.
bad C
int numHeaders;
PacketHeader headers;
sock=AcceptSocketConnection();
ReadPacket(packet, sock);
numHeaders =packet->headers;
if (numHeaders > 100) {
}
headers = malloc(numHeaders * sizeof(PacketHeader);
ParsePacketHeaders(packet, headers);
The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow.
例
The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.
bad C
}
void main (int argc, char argv) {
char input;
int i;
short s;
unsigned int sz;
i = GetUntrustedInt();
s = i;
/ s is -1 so it passes the safety check - CWE-697 /
if (s > 256) {
}
/ s is sign-extended and saved in sz /
sz = s;
/ output: i=65535, s=-1, sz=4294967295 - your mileage may vary /
printf("i=%d, s=%d, sz=%un", i, s, sz);
input = GetUserInput("Enter pathname:");
/ strncpy interprets s as unsigned int, so it's treated as MAX_INT
(CWE-195), enabling buffer overflow (CWE-119) /
strncpy(path, input, s);
path[255] = '�'; / don't want CWE-170 */
printf("Path is: %sn", path);
}
This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119).
例
In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method
bad C
int value;
// check that the array index is less than the maximum
// length of the array
if (index
// get the value at the specified index of the array
value = array[index];
}
// if array index is invalid then output error message
// and return value indicating error
else {
value = -1;
}
return value;
}文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论