Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-839 (未进行最小值检查的数值范围比较) — Vulnerability Class 2

2 vulnerabilities classified as CWE-839 (未进行最小值检查的数值范围比较). AI Chinese analysis included.

CWE-839 represents a numeric range comparison weakness where software validates that an input does not exceed a maximum threshold but neglects to verify that the value meets a minimum boundary. This oversight is typically exploited by attackers supplying negative numbers or unexpectedly low values, which can bypass logic assuming positive inputs, leading to buffer overflows, integer underflows, or unauthorized access. Developers often encounter this when using signed integers for inherently positive data without explicit lower-bound checks. To prevent such vulnerabilities, engineers must implement comprehensive input validation that explicitly enforces both upper and lower limits. Utilizing unsigned integer types where appropriate and rigorously testing edge cases, including negative and zero values, ensures that all numeric inputs remain within the expected safe range, thereby eliminating the potential for exploitation through boundary violations.

MITRE CWE Description
The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum. Some products use signed integers or floats even when their values are only expected to be positive or 0. An input validation check might assume that the value is positive, and only check for the maximum value. If the value is negative, but the code assumes that the value is positive, this can produce an error. The error may have security consequences if the negative value is used for memory allocation, array access, buffer access, etc. Ultimately, the error could lead to a buffer overflow or other type of memory corruption. The use of a negative number in a positive-only context could have security implications for other types of resources. For example, a shopping cart might check that the user is not requesting more than 10 items, but a request for -3 items could cause the application to calculate a negative price and credit the attacker's account.
Common Consequences (3)
Integrity, Confidentiality, AvailabilityModify Application Data, Execute Unauthorized Code or Commands
An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.
AvailabilityDoS: Resource Consumption (Other)
in some contexts, a negative value could lead to resource consumption.
Confidentiality, IntegrityModify Memory, Read Memory
If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer.
Mitigations (2)
ImplementationIf the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.
ImplementationIf the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.
Examples (2)
The following code is intended to read an incoming packet from a socket and extract one or more headers.
DataPacket *packet; int numHeaders; PacketHeader *headers; sock=AcceptSocketConnection(); ReadPacket(packet, sock); numHeaders =packet->headers; if (numHeaders > 100) { ExitError("too many headers!"); } headers = malloc(numHeaders * sizeof(PacketHeader); ParsePacketHeaders(packet, headers);
Bad · C
The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.
int GetUntrustedInt () { return(0x0000FFFF); } void main (int argc, char **argv) { char path[256]; char *input; int i; short s; unsigned int sz; i = GetUntrustedInt(); s = i; /* s is -1 so it passes the safety check - CWE-697 */ if (s > 256) { DiePainfully("go away!\n"); } /* s is sign-extended and saved in sz */ sz = s; /* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */ printf("i=%d, s=%d, sz=%u\n", i, s, sz); input = GetUserInput("Enter pathname:"); /* strncpy interprets s as unsigned int, so it's treated as MAX_INT (CWE-195), enabling buffer overflow (CWE-119) */ strncpy(pat
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2023-0425 Buffer overflow in global memory region — Freelance controllers AC 700F 8.6 High2023-08-07
CVE-2019-20925 Denial of service via malformed network packet — MongoDB Server 7.5 High2020-11-24

Vulnerabilities classified as CWE-839 (未进行最小值检查的数值范围比较) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.