目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-839 未进行最小值检查的数值范围比较 类漏洞列表 2

CWE-839 未进行最小值检查的数值范围比较 类弱点 2 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-839属于输入验证缺陷,指程序仅检查数值上限而未验证下限。攻击者常利用此漏洞传入负数或极小值,绕过逻辑限制以触发异常或执行未授权操作。开发者应确保在验证最大值的同时,显式检查数值是否大于等于预期的最小值,特别是处理可能为负的有符号整数时,需完善边界校验逻辑以消除安全隐患。

MITRE CWE 官方描述
CWE:CWE-839 无最小值检查的数字范围比较 英文:产品检查一个值以确保其小于或等于最大值,但未同时验证该值是否大于或等于最小值。 某些产品即使在预期值仅为正数或 0 的情况下,仍使用有符号整数(signed integers)或浮点数(floats)。输入验证检查(input validation check)可能假设该值为正数,并仅检查最大值。如果该值为负数,但代码假设该值为正数,则会产生错误。如果负数被用于内存分配(memory allocation)、数组访问(array access)、缓冲区访问(buffer access)等,此错误可能会带来安全后果。最终,该错误可能导致缓冲区溢出(buffer overflow)或其他类型的内存损坏(memory corruption)。在仅限正数的上下文中使用负数可能对其他类型的资源产生安全影响。例如,购物车可能检查用户请求的商品数量不超过 10 件,但请求 -3 件商品可能导致应用程序计算出负价格,并向攻击者的账户进行信用额度的充值。
常见影响 (3)
Integrity, Confidentiality, AvailabilityModify Application Data, Execute Unauthorized Code or Commands
An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.
AvailabilityDoS: Resource Consumption (Other)
in some contexts, a negative value could lead to resource consumption.
Confidentiality, IntegrityModify Memory, Read Memory
If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer.
缓解措施 (2)
ImplementationIf the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.
ImplementationIf the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.
代码示例 (2)
The following code is intended to read an incoming packet from a socket and extract one or more headers.
DataPacket *packet; int numHeaders; PacketHeader *headers; sock=AcceptSocketConnection(); ReadPacket(packet, sock); numHeaders =packet->headers; if (numHeaders > 100) { ExitError("too many headers!"); } headers = malloc(numHeaders * sizeof(PacketHeader); ParsePacketHeaders(packet, headers);
Bad · C
The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.
int GetUntrustedInt () { return(0x0000FFFF); } void main (int argc, char **argv) { char path[256]; char *input; int i; short s; unsigned int sz; i = GetUntrustedInt(); s = i; /* s is -1 so it passes the safety check - CWE-697 */ if (s > 256) { DiePainfully("go away!\n"); } /* s is sign-extended and saved in sz */ sz = s; /* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */ printf("i=%d, s=%d, sz=%u\n", i, s, sz); input = GetUserInput("Enter pathname:"); /* strncpy interprets s as unsigned int, so it's treated as MAX_INT (CWE-195), enabling buffer overflow (CWE-119) */ strncpy(pat
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2023-0425 ABB Freelance controllers 安全漏洞 — Freelance controllers AC 700F 8.6 High2023-08-07
CVE-2019-20925 Mongodb Server 授权问题漏洞 — MongoDB Server 7.5 High2020-11-24

CWE-839(未进行最小值检查的数值范围比较) 是常见的弱点类别,本平台收录该类弱点关联的 2 条 CVE 漏洞。