Corgea LogoCorgea Security Hub

CWE-195: Signed to Unsigned Conversion Error

Learn about CWE-195 (Signed to Unsigned Conversion Error), its security impact, exploitation methods, and prevention guidelines.

What is Signed to Unsigned Conversion Error?

• Overview: Signed to Unsigned Conversion Error occurs when a signed integer is cast to an unsigned integer, causing unexpected values, particularly when negative numbers are involved. This can lead to erroneous program behavior as signed integers can represent negative values, while unsigned integers cannot.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by manipulating input values that result in negative numbers being incorrectly cast to large unsigned integers.
  • Common attack patterns include using functions that return negative error codes and passing these values to APIs expecting unsigned integers, potentially leading to buffer overflows.

• Security Impact:

  • Direct consequences include buffer overflows or underflows, potentially allowing attackers to execute arbitrary code.
  • Potential cascading effects involve memory corruption, application crashes, or unauthorized access to sensitive data.
  • Business impact may include data breaches, loss of customer trust, legal repercussions, and financial losses.

• Prevention Guidelines:

  • Specific code-level fixes include checking the range and validity of integers before casting, and explicitly handling negative values.
  • Security best practices involve using safe integer handling functions and avoiding assumptions about implicit casts.
  • Recommended tools and frameworks include static analysis tools to detect unsafe casts, and using safe programming languages or libraries that handle signed and unsigned conversions robustly.
Corgea can automatically detect and fix Signed to Unsigned Conversion Error in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: C, C++

Affected Technologies: Not specified

Vulnerable Code Example

// This code demonstrates a signed to unsigned conversion error vulnerability.
// The `read_input` function reads an integer from the user and uses it to allocate memory.
// If a negative value is entered, it becomes a large positive number due to conversion.
#include <stdio.h>
#include <stdlib.h>

void read_input() {
    int length;
    printf("Enter the number of elements: ");
    scanf("%d", &length);  // User input, potentially negative

    // Vulnerable conversion from signed int to unsigned size_t
    size_t size = (size_t)length;  // Conversion happens here

    int *array = (int *)malloc(size * sizeof(int));  // Can cause excessive allocation
    if (array == NULL) {
        printf("Memory allocation failed\n");
        exit(1);
    }
    // ... (use the array)
    free(array);
}

int main() {
    read_input();
    return 0;
}

How to fix Signed to Unsigned Conversion Error?

To fix the signed to unsigned conversion error, we must ensure that the input value is non-negative before performing the conversion. This prevents negative values from being interpreted as large positive numbers when cast to an unsigned type. The best practice is to validate the input and handle any invalid cases appropriately. Here, we will check if the input value is negative and handle it by displaying an error message, thus avoiding the potential for excessive memory allocation or other unintended behavior.

Fixed Code Example

// Fixed code with input validation to prevent negative values from causing issues
#include <stdio.h>
#include <stdlib.h>

void read_input() {
    int length;
    printf("Enter the number of elements: ");
    scanf("%d", &length);

    if (length < 0) {  // Input validation to ensure non-negative values
        printf("Error: Number of elements cannot be negative.\n");
        return;  // Exit the function early if input is invalid
    }

    size_t size = (size_t)length;  // Safe conversion after validation

    int *array = (int *)malloc(size * sizeof(int));  // Safe allocation
    if (array == NULL) {
        printf("Memory allocation failed\n");
        exit(1);
    }
    // ... (use the array)
    free(array);
}

int main() {
    read_input();
    return 0;
}

In the fixed code, a check is added to ensure that length is non-negative before the conversion and memory allocation. This prevents potential issues related to negative input values being misinterpreted as large unsigned sizes. This approach highlights the importance of input validation in preventing such vulnerabilities. Additionally, the code examples now use proper syntax highlighting and formatting conventions.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-195: Signed to Unsigned Conversion Error and get remediation guidance

Start for free and no credit card needed.