The function is declared to return an unsigned value, but in some cases it returns a negative value.
It is dangerous to rely on implicit casts between signed and unsigned numbers because the result can take on an unexpected value and violate weak assumptions made elsewhere in the program.
Example: In this example the variable amount
can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount
will be implicitly converted to unsigned.
unsigned int readdata () {
int amount = 0;
...
if (result == ERROR)
amount = -1;
...
return amount;
}
readdata()
will be 4,294,967,295 on a system uses 32-bit integers.[1] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3550 CAT I
[2] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 195