...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship | ||
|---|---|---|---|---|
| CERT C | Coding StandardINT02-C. Understand integer conversion rules | Prior to 2018-01-12: CERT: Unspecified Relationship | ||
| CERT C | ARR30-C. Do not form or use out-of-bounds pointers or array subscripts | Prior to 2018-01-12: CERT: Unspecified Relationship | ||
| CERT C | ARR36-C. Do not subtract or compare two pointers that do not refer to the same array | Prior to 2018-01-12: CERT: Unspecified Relationship | ||
| CERT C | ARR37-C | ARR37-C. Do not add or subtract an integer to a pointer to a non-array object | Prior to 2018-01-12: CERT: Unspecified Relationship | |
| CERT C | CON08-C. Do not assume that a group of calls to independently atomic methods is atomic | Prior to 2018-01-12: CERT: Unspecified Relationship | ||
| ISO/IEC TR 24772:2013 | Arithmetic Wrap-Around Error [FIF] | Prior to 2018-01-12: CERT: Unspecified Relationship | ||
| CWE 2.11 | CWE | MITRE CWE | CWE-190, Integer Overflow or Wraparound | 2016-12-02: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-131 | 2017-05-16: CERT: Partial overlap | ||
| CWE 2.11 | CWE-191 | 2017-05-18: CERT: Partial overlap | ||
| CWE 2.11 | CWE-680 | 2017-05-18: CERT: Partial overlap |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-131 and INT30-C
- Intersection( INT30-C, MEM35-C) = Ø
- Intersection( CWE-131, INT30-C) =
- Calculating a buffer size such that the calculation wraps. This can happen, for example, when using malloc() or operator new[] to allocate an array, multiplying the array item size with the array dimension. An untrusted dimension could cause wrapping, resulting in a too-small buffer being allocated, and subsequently overflowed when the array is initialized.
- CWE-131 – INT30-C =
- Incorrect calculation of a buffer size that does not involve wrapping. This includes off-by-one errors, for example.
INT30-C – CWE-131 =
- Integer wrapping where the result is not used to allocate memory.
CWE-680 and INT30-C
Intersection( CWE-680, INT30-C) =
- Unsigned integer overflows that lead to buffer overflows
CWE-680 - INT30-C =
- Signed integer overflows that lead to buffer overflows
INT30-C – CWE-680 =
- Unsigned integer overflows that do not lead to buffer overflows
CWE-191 and INT30-C
Union( CWE-190, CWE-191) = Union( INT30-C, INT32-C) Intersection( INT30-C, INT32-C) == Ø
Intersection(CWE-191, INT30-C) =
- Underflow of unsigned integer operation
CWE-191 – INT30-C =
- Underflow of signed integer operation
INT30-C – CWE-191 =
- Overflow of unsigned integer operation
Bibliography
| [Bailey 2014] | Raising Lazarus - The 20 Year Old Bug that Went to Mars |
| [Dowd 2006] | Chapter 6, "C Language Issues" ("Arithmetic Boundary Conditions," pp. 211–223) |
| [ISO/IEC 9899:2011] | Subclause 6.2.5, "Types" |
| [Seacord 2013b] | Chapter 5, "Integer Security" |
| [Viega 2005] | Section 5.2.7, "Integer Overflow" |
| [VU#551436] | |
| [Warren 2002] | Chapter 2, "Basics" |
| [Wojtczuk 2008] | |
| [xorl 2009] | "CVE-2009-1385: Linux Kernel E1000 Integer Underflow" |
...