UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the application is not vulnerable to integer arithmetic issues.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16808 APP3550 SV-17808r1_rule DCSQ-1 High
Description
Integer overflows occur when an integer has not been properly checked and is used in memory allocation, copying, and concatenation. Also, when incrementing integers past their maximum possible value, it could potentially become a very small or negative number. Integer overflows can lead to infinite looping when loop index variables are compromised and cause a denial of service. If the integer is used in data references, the data can become corrupt. Also, using the integer in memory allocation can cause buffer overflows, and a denial of service. Integers used in access control mechanisms can potentially trigger buffer overflows, which can be used to execute arbitrary code.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-17806r1_chk )
Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool or use static analysis tools that are known to find this class of vulnerability with few false positives. See section 5.4 of the Application Security and Development STIG for additional details.

If the results are provided from a manual code review, the application representative will need to demonstrate how integer overflow vulnerabilities are identified during code reviews.

1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify integer overflow vulnerabilities, it is a finding.

Examples of integer overflow vulnerabilities can be obtained from the OWASP website.
Fix Text (F-17101r1_fix)
Modify the application and protect against integer overflow attacks.