ABSTRACT

The function is declared to return an unsigned value, but in some cases it returns a negative value.

EXPLANATION

It is dangerous to rely on implicit casts between signed and unsigned numbers because the result can take on an unexpected value and violate weak assumptions made elsewhere in the program.

Example: In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned.


unsigned int readdata () {
int amount = 0;
...
if (result == ERROR)
amount = -1;
...
return amount;
}


If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system uses 32-bit integers.

Conversion between signed and unsigned values can lead to a variety of errors, but from a security standpoint is most commonly associated with integer overflow and buffer overflow vulnerabilities.

REFERENCES

[1] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3550 CAT I

[2] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 195