Executar análise estática (SAST) na base de código à procura do padrão inseguro no fluxo de dados.
CWE-194 Variante Incompleto
Unexpected Sign Extension
This vulnerability occurs when a signed number from a smaller data type is moved or cast to a larger type, causing its sign bit to be incorrectly extended. If the original value is negative, this…
Definição
What is CWE-194?
This vulnerability occurs when a signed number from a smaller data type is moved or cast to a larger type, causing its sign bit to be incorrectly extended. If the original value is negative, this sign extension can fill the new, higher-order bits with '1's, leading to unexpectedly large positive values and causing logic errors, buffer overflows, or security bypasses.
Sign extension is a standard behavior in programming languages like C and C++ when promoting a signed integer (e.g., a signed 8-bit `char`) to a larger signed type (e.g., a 32-bit `int`). The problem arises when developers don't account for this automatic behavior, especially when treating the resulting value as an unsigned number or using it for operations like memory allocation, array indexing, or length validation. A classic example is reading a byte value of `0xFF` (-1 as a signed char) into an unsigned integer, which becomes `0xFFFFFFFF` (a very large positive number), potentially leading to out-of-bounds access.
To prevent this, developers must be explicit about data types during conversions. Always consider if the source data should be treated as signed or unsigned before widening it. Use explicit casts to the intended target type, and when working with raw byte data or protocol parsing, prefer unsigned types for counts and indices. Performing range checks on the source value before the conversion or using bit masks (e.g., `new_value = old_value & 0xFF`) can effectively strip unwanted sign-extended bits and ensure the resulting value matches the intended logic.
Impacto no mundo real
Real-world CVEs caused by CWE-194
-
Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)
-
Sign extension error produces -1 value that is treated as a command separator, enabling OS command injection.
-
Product uses "char" type for input character. When char is implemented as a signed type, ASCII value 0xFF (255), a sign extension produces a -1 value that is treated as a program-specific separator value, effectively disabling a length check and leading to a buffer overflow. This is also a multiple interpretation error.
-
chain: signed short width value in image processor is sign extended during conversion to unsigned int, which leads to integer overflow and heap-based buffer overflow.
-
chain: signedness error allows bypass of a length check; later sign extension makes exploitation easier.
-
Sign extension when manipulating Pascal-style strings leads to integer overflow and improper memory copy.
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
Identificar um caminho de código que trata input não confiável sem validação.
- 2
Criar um payload que explora o comportamento inseguro — injeção, traversal, overflow ou abuso de lógica.
- 3
Entregar o payload através de um pedido normal e observar a reação da aplicação.
- 4
Iterar até que a resposta exponha dados, execute código do atacante ou escale privilégios.
Exemplo de código vulnerável
Vulnerable C
The following code reads a maximum size and performs a sanity check on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.
int GetUntrustedInt () {
return(0x0000FFFF);
}
void main (int argc, char **argv) {
char path[256];
char *input;
int i;
short s;
unsigned int sz;
i = GetUntrustedInt();
s = i;
/* s is -1 so it passes the safety check - CWE-697 */
if (s > 256) {
DiePainfully("go away!\n");
}
/* s is sign-extended and saved in sz */
sz = s;
/* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */
printf("i=%d, s=%d, sz=%u\n", i, s, sz);
input = GetUserInput("Enter pathname:");
/* strncpy interprets s as unsigned int, so it's treated as MAX_INT
(CWE-195), enabling buffer overflow (CWE-119) */
strncpy(path, input, s);
path[255] = '\0'; /* don't want CWE-170 */
printf("Path is: %s\n", path);
} Exemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-194
- Implementation Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.
Sinais de deteção
How to detect CWE-194
Executar testes dinâmicos de segurança de aplicações (DAST) contra o endpoint em execução.
Monitorizar os registos em tempo de execução para traços de exceção invulgares, input malformado ou tentativas de contornar a autorização.
Revisão de código: sinalizar qualquer novo código que trate input desta superfície sem usar os ajudantes validados do framework.
O Plexicus deteta automaticamente o CWE-194 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-194?
Qual a gravidade do CWE-194?
Que linguagens ou plataformas são afetadas pelo CWE-194?
Como posso prevenir o CWE-194?
Como é que o Plexicus deteta e corrige o CWE-194?
Onde posso saber mais sobre o CWE-194?
Frequently asked questions
O que é o CWE-194?
This vulnerability occurs when a signed number from a smaller data type is moved or cast to a larger type, causing its sign bit to be incorrectly extended. If the original value is negative, this sign extension can fill the new, higher-order bits with '1's, leading to unexpectedly large positive values and causing logic errors, buffer overflows, or security bypasses.
Qual a gravidade do CWE-194?
A MITRE classifica a probabilidade de exploração como Alta — esta fraqueza é ativamente explorada em campo e deve ser priorizada para remediação.
Que linguagens ou plataformas são afetadas pelo CWE-194?
MITRE lists the following affected platforms: C, C++.
Como posso prevenir o CWE-194?
Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.
Como é que o Plexicus deteta e corrige o CWE-194?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-194 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-194?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/194.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-194
CWE-681 Pai
Incorrect Conversion between Numeric Types
This vulnerability occurs when a program converts a value from one numeric type to another (like a 64-bit integer to a 32-bit integer) and…
CWE-192 Irmão
Integer Coercion Error
An integer coercion error occurs when a program incorrectly converts, extends, or truncates a number between different data types, leading…
CWE-195 Irmão
Signed to Unsigned Conversion Error
This vulnerability occurs when a signed integer (which can hold negative values) is converted to an unsigned integer (which holds only…
CWE-196 Irmão
Unsigned to Signed Conversion Error
This vulnerability occurs when a program takes an unsigned integer and converts it directly to a signed integer. If the original unsigned…
CWE-197 Irmão
Numeric Truncation Error
A numeric truncation error happens when a program converts a number to a smaller data type, cutting off its higher-order bits and…
Recursos
Further reading
- MITRE — CWE-194 oficial https://cwe.mitre.org/data/definitions/194.html
- C Language Issues for Application Security http://www.informit.com/articles/article.aspx?p=686170&seqNum=6
- Integral Security https://drdobbs.com/cpp/integral-security/193501774
- The CLASP Application Security Process https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.