ABSTRACT

The function is declared to return an unsigned number but returns a signed value.

EXPLANATION

It is dangerous to rely on implicit casts between signed and unsigned numbers because the result can take on an unexpected value and violate weak assumptions made elsewhere in the program.

Example: In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number.


unsigned int readdata () {
int amount = 0;
...
amount = accessmainframe();
...
return amount;
}


If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

Conversion between signed and unsigned values can lead to a variety of errors, but from a security standpoint is most commonly associated with integer overflow and buffer overflow vulnerabilities.

REFERENCES

[1] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3550 CAT I

[2] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 195