CWE-128 超界折返处理错误

Wrap-around Error

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: Medium

基本描述

Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 682 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 682 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 119 cwe_View_ID: 1000

  • cwe_Nature: PeerOf cwe_CWE_ID: 190 cwe_View_ID: 1000

适用平台

Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Often'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Often'}]

常见的影响

范围 影响 注释
Availability ['DoS: Crash, Exit, or Restart', 'DoS: Resource Consumption (CPU)', 'DoS: Resource Consumption (Memory)', 'DoS: Instability'] This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.
Integrity Modify Memory If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.
['Confidentiality', 'Availability', 'Access Control'] ['Execute Unauthorized Code or Commands', 'Bypass Protection Mechanism'] This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.

可能的缓解方案

策略:

Requirements specification: The choice could be made to use a language that is not susceptible to these issues.

Architecture and Design

策略:

Provide clear upper and lower bounds on the scale of any protocols designed.

Implementation

策略:

Place sanity checks on all incremented variables to ensure that they remain within reasonable bounds.

示例代码

The following image processing code allocates a table for images.

bad C

img_t table_ptr; /struct containing img data, 10kB each/
int num_imgs;
...
num_imgs = get_num_imgs();
table_ptr = (img_t)malloc(sizeof(img_t)num_imgs);
...

This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119).

Notes

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Wrap-around error
CERT C Secure Coding MEM07-C Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t
Software Fault Patterns SFP1 Glitch in computation

相关攻击模式

  • CAPEC-92

引用