CWE-839: Numeric Range Comparison Without Minimum Check
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.
常见后果
影响范围: Integrity Confidentiality Availability
技术影响: Modify Application Data Execute Unauthorized Code or Commands
说明: An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.
影响范围: Availability
技术影响: DoS: Resource Consumption (Other)
说明: in some contexts, a negative value could lead to resource consumption.
影响范围: Confidentiality Integrity
技术影响: Modify Memory Read Memory
说明: If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer.
潜在缓解措施
阶段: Implementation
策略: Enforcement by Conversion
描述: If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.
阶段: Implementation
策略: Input Validation
描述: If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.
观察示例
参考: CVE-2010-1866
Chain: integer overflow (CWE-190) causes a negative signed value, which later bypasses a maximum-only check (CWE-839), leading to heap-based buffer overflow (CWE-122).
参考: CVE-2009-1099
Chain: 16-bit counter can be interpreted as a negative value, compared to a 32-bit maximum value, leading to buffer under-write.
参考: CVE-2011-0521
Chain: kernel's lack of a check for a negative value leads to memory corruption.
参考: CVE-2010-3704
Chain: parser uses atoi() but does not check for a negative value, which can happen on some platforms, leading to buffer under-write.
参考: CVE-2010-2530
Chain: Negative value stored in an int bypasses a size check and causes allocation of large amounts of memory.
参考: CVE-2009-3080
Chain: negative offset value to IOCTL bypasses check for maximum index, then used as an array index for buffer under-read.
参考: CVE-2008-6393
chain: file transfer client performs signed comparison, leading to integer overflow and heap-based buffer overflow.
参考: CVE-2008-4558
chain: negative ID in media player bypasses check for maximum index, then used as an array index for buffer under-read.