# Difference between revisions of "Integer Overflows/Underflows"

This is an Attack. To view all attacks, please see the Attack Category page.

Last revision: 09/12/2008

## Description

Integer overflow belongs to a logic errors family. It occurs when a given range of int (integer) type numbers is overflowed due to arithmetic operations. Generally there are only two operations which cause these kind of errors - addition and multiplication.

TBD

## Examples

```rezos@bezel ~/labs/integer \$ cat add.c
#include <stdio.h>
#include <limits.h>

int main(void)
{
int a;

//  a=2147483647;
a=INT_MAX;

printf("int a (INT_MAX) = %d (0x%x), int a (INT_MAX) + 1 = %d (0x%x)\n", a,a,a+1,a+1);

return 0;
}

int a (INT_MAX) = 2147483647 (0x7fffffff), int a (INT_MAX) + 1 = -2147483648 (0x80000000)
```

By adding 1 to the biggest possible signed (+ or -) integer value we overwrite the sign bit. In short, by adding two positive numbers we get one big negative number.

Example 2 (multiplication)

```rezos@bezel ~/labs/integer \$ cat multiplication.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

int main(int argc, char **argv)
{
int i, j, z=0x00000001;
char *tab;

if(argc<2) _exit(1);

i=atoi(argv[1]);

if(i>0) {
tab = malloc(i * sizeof(char *));
if(tab == NULL) _exit(2);
}

for(j=0; j<i; j++)
tab[j]=z++;

for(j=0; j<i; j++)
printf("tab[j]=0x%x\n", tab[j]);

return 0;
}

rezos@bezel ~/labs/integer \$ ./multiplication 1073741824
Segmentation fault
```

The program should write a "z" value into the array of pointers and then print it out. With a specially selected array size (number of its elements) it's possible to use an integer overflow error to overflow the array "tab".

The example below explains why it happens.

```rezos@bezel ~/labs/integer \$ cat multi.c
#include <stdio.h>

int main(void)
{
printf ("1073741824 *4 = %d\n", 1073741824 * 4);
return 0;
}
```

In this program we multiply 1073741824 * 4 because sizeof(char *) will return 4.

```rezos@bezel ~/labs/integer \$ gcc -ggdb multi.c -o multi
multi.c: In function 'main':
multi.c:6: warning: integer overflow in expression
```

The compiler warns us that the program contains an expression which causes an integer overflow. To make sure what the result of the multiplication will be:

```rezos@bezel ~/labs/integer \$ ./multi
1073741824 *4 = 0
```

malloc(0) (in the main example) will allocate memory with size 0 correctly(poprawnie)/successfully(z powodzeniem), and that will allow for overwriting memory segments on the heap.

Memory allocation with a negative value may cause allocation of very small or very big memory segments depending on the implementation of the *alloc() functions. Integer overflow errors may also lead to the situation where condition statements, which are supposed to check buffers boundaries, are omitted.

Integer overflow errors are not always a threat themselves. However they provide the possibility to overwrite or to read memory content beyond boudries of the buffers, for example during buffer indexing.

## Related Controls

• Use programming language and/or compiler, which will check the buffers boundries and their indexes.
• Use libraries, which provides API for arithmetic operations (e.g. safe_iop[1], IntegerLib[2])
• Check results of the arithmetic operations, which used integer numbers and compare them with the expected values.