CWE-394
Unexpected Status Code or Return Value
Draft
2006-07-19
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Nazwa: Unexpected Status Code or Return Value
The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.
Informacje ogólne
Sposoby wprowadzenia
ImplementationOdpowiednie platformy
Język
Class: Not Language-Specific (Undetermined)Typowe konsekwencje
| Zakres | Wpływ | Prawdopodobieństwo |
|---|---|---|
| Integrity Other | Unexpected State, Alter Execution Logic |
Zaobserwowane przykłady
| Odniesienia | Opis |
|---|---|
CVE-2004-1395 | Certain packets (zero byte and other lengths) cause a recvfrom call to produce an unexpected return code that causes a server's listening loop to exit. |
CVE-2002-2124 | Unchecked return code from recv() leads to infinite loop. |
CVE-2005-2553 | Kernel function does not properly handle when a null is returned by a function call, causing it to call another function that it shouldn't. |
CVE-2005-1858 | Memory not properly cleared when read() function call returns fewer bytes than expected. |
CVE-2000-0536 | Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname. |
CVE-2001-0910 | Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname. |
CVE-2004-2371 | Game server doesn't check return values for functions that handle text strings and associated size values. |
CVE-2005-1267 | Resultant infinite loop when function call returns -1 value. |
Metody wykrywania
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Skuteczność : High
Uwagi dotyczące mapowania podatności
Uzasadnienie : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Komentarz : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Notatki
Usually primary, but can be resultant from issues such as behavioral change or API abuse. This can produce resultant vulnerabilities.Zgłoszenie
| Nazwa | Organizacja | Data | Data wydania | Version |
|---|---|---|---|---|
| PLOVER | Draft 3 |
Modyfikacje
| Nazwa | Organizacja | Data | Komentarz |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Other_Notes, Relationship_Notes | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Detection_Factors, Relationships, Weakness_Ordinalities |
