CWE-191: Integer Underflow (Wrap or Wraparound)

Description

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

This can happen in signed and unsigned cases.

Potential Impact

Availability

DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability

Integrity

Modify Memory

Confidentiality, Availability, Access Control

Execute Unauthorized Code or Commands, Bypass Protection Mechanism

Demonstrative Examples

The following example subtracts from a 32 bit signed integer.

Bad

#include <stdio.h>#include <stdbool.h>main (void){int i;i = -2147483648;i = i - 1;return 0;}

The example has an integer underflow. The value of i is already at the lowest negative value possible, so after subtracting 1, the new value of i is 2147483647.

This code performs a stack allocation based on a length calculation.

Bad

int a = 5, b = 6;
		    size_t len = a - b;
		    char buf[len];    // Just blows up the stack
		  
		  }

Since a and b are declared as signed ints, the "a - b" subtraction gives a negative result (-1). However, since len is declared to be unsigned, len is cast to an extremely large positive number (on 32-bit systems - 4294967295). As a result, the buffer buf[len] declaration uses an extremely large size to allocate on the stack, very likely more than the entire computer's memory space.

Miscalculations usually will not be so obvious. The calculation will either be complicated or the result of an attacker's input to attain the negative value.

Detection Methods

Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE ID	Description
CVE-2004-0816	Integer underflow in firewall via malformed packet.
CVE-2004-1002	Integer underflow by packet with invalid length.
CVE-2005-0199	Long input causes incorrect length calculation.
CVE-2005-1891	Malformed icon causes integer underflow in loop counter variable.

Taxonomy Mappings

PLOVER: — Integer underflow (wrap or wraparound)
Software Fault Patterns: SFP1 — Glitch in computation
CERT C Secure Coding: INT30-C — Ensure that unsigned integer operations do not wrap
CERT C Secure Coding: INT32-C — Ensure that operations on signed integers do not result in overflow

Frequently Asked Questions

What is CWE-191?

CWE-191 (Integer Underflow (Wrap or Wraparound)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

How can CWE-191 be exploited?

Attackers can exploit CWE-191 (Integer Underflow (Wrap or Wraparound)) to dos: crash, exit, or restart, dos: resource consumption (cpu), dos: resource consumption (memory), dos: instability. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-191?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-191?

CWE-191 is classified as a Base-level weakness (Medium abstraction). It has been observed in 4 real-world CVEs.