CWE-128 超界折返处理错误
Wrap-around Error
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: Medium
基本描述
Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 682 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 682 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 119 cwe_View_ID: 1000
-
cwe_Nature: PeerOf cwe_CWE_ID: 190 cwe_View_ID: 1000
适用平台
Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Often'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Often'}]
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Availability | ['DoS: Crash, Exit, or Restart', 'DoS: Resource Consumption (CPU)', 'DoS: Resource Consumption (Memory)', 'DoS: Instability'] | This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high. |
| Integrity | Modify Memory | If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur. |
| ['Confidentiality', 'Availability', 'Access Control'] | ['Execute Unauthorized Code or Commands', 'Bypass Protection Mechanism'] | This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy. |
可能的缓解方案
策略:
Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
Architecture and Design
策略:
Provide clear upper and lower bounds on the scale of any protocols designed.
Implementation
策略:
Place sanity checks on all incremented variables to ensure that they remain within reasonable bounds.
示例代码
例
The following image processing code allocates a table for images.
bad C
int num_imgs;
...
num_imgs = get_num_imgs();
table_ptr = (img_t)malloc(sizeof(img_t)num_imgs);
...
This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119).
Notes
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Wrap-around error | ||
| CERT C Secure Coding | MEM07-C | Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t | |
| Software Fault Patterns | SFP1 | Glitch in computation |
相关攻击模式
- CAPEC-92