Meaningless comparison of unsigned variable against negative value

c.integer_overflow.incorrect_unsigned_comparison

Severity

low

Resource

Integer Overflow

Language

C / C++

Description

Checking if an unsigned variable is negative makes no sense and is usually a good indication that something is probably wrong with the code.

Rationale

Checking if an unsigned variable is negative makes no sense and is usually a good indication that something is probably wrong with the code.

The following code illustrates a vulnerable pattern detected by this rule:

int bad1()
{
	size_t uvar;

	// VULNERABLE: Meaningless comparison of unsigned variable against negative value
	if (uvar < 0)
		return 1;

	return 0;
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-697
OWASP Top 10 2021 - A04 : Insecure Design.
https://g.co/kgs/PCHQjJ
CERTC-INT31-C