Base weakness

Incomplete

CWE-839: Numeric Range Comparison Without Minimum Check

Also known as: Signed comparison

The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

Some products use signed integers or floats even when their values are only expected to be positive or 0. An input validation check might assume that the value is positive, and only check for the maximum value. If the value is negative, but the code assumes that the value is positive, this can produce an error. The error may have security consequences if the negative value is used for memory allocation, array access, buffer access, etc. Ultimately, the error could lead to a buffer overflow or other type of memory corruption. The use of a negative number in a positive-only context could have security implications for other types of resources. For example, a shopping cart might check that the user is not requesting more than 10 items, but a request for -3 items could cause the application to calculate a negative price and credit the attacker's account.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code is intended to read an incoming packet from a socket and extract one or more headers.

Vulnerable example

DataPacket *packet;

The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow.

The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.

Vulnerable example

int GetUntrustedInt () {

This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119).

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method

Vulnerable example

int getValueFromArray(int *array, int len, int index) {

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in reading data before the beginning of the buffer (CWE-127) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.

The following code shows a simple BankAccount class with deposit and withdraw methods.

Vulnerable example

java

public class BankAccount {

Safe example

java

public class BankAccount {

CWE-839: Numeric Range Comparison Without Minimum Check

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Frequently asked questions

What is CWE-839?

What CVEs are caused by CWE-839?

How do you prevent CWE-839?

How is CWE-839 detected?

What are the consequences of CWE-839?

Is CWE-839 actively exploited?

References

Stay ahead of CWE-839

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Can precede

Terminology & mappings

Alternate terms

Frequently asked questions

What is CWE-839?

What CVEs are caused by CWE-839?

How do you prevent CWE-839?

How is CWE-839 detected?

What are the consequences of CWE-839?

Is CWE-839 actively exploited?

References

Stay ahead of CWE-839