Integer-Overflows

From OSDev Wiki

This page is a work in progress!

Integer Overflows do not cause a direct impact such as stack/heap based overflows do. Instead they lead to these types of bugs ( usually heap based ) later on in the code. For instance lets say we have an application parsing data from a protocol or file format.

int size = read_int_from_network();
char *buffer = malloc(size+1);            // leave room for NULL
memcpy(buffer,data_from_network(),size);  // copys 2^32-1 bytes into buffer

As we can there is no verification on the size read from the user and this causes large problems later in the code. Examples in osdev where this arises include Elf parsers ( think segment/program/entry point offset into the file), network parsers, read/write/lseek implementations, etc. If your code takes input from the user you *MUST* verify that it fits within the range of the data you are going to process with it. Also you should check for integer {over,under}flow on each math operation done using user-supplied data.

There the best integer overflow explanation and detail using the C-specification can be found in the art of software security assessment which can be found in Application-Security-Books.

Retrieved from "http://wiki.osdev.org/Integer-Overflows"

Categories: In Progress | Security

Integer-Overflows

From OSDev Wiki

Views

Personal tools

Navigation

About

Search

Toolbox