Integer Overflows/Underflows

From OWASP
Revision as of 21:20, 30 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/frhorton/xy928lwhl.html women held captive in africa ] [http://s1.shard.jp/frhorton/rykfyeh82.html african history west ] [http://s1.shard.jp/frhorton/6jht1xnfg.html african frog endangered ] [http://s1.shard.jp/bireba/antivirus-tests.html nod32 antivirus serial ] [http://s1.shard.jp/frhorton/lpujl5mms.html south africa adoption ] [http://s1.shard.jp/frhorton/3q938n1mz.html solutions to poverty in africa ] [http://s1.shard.jp/galeach/new41.html mxlogic asia image filtering ] [http://s1.shard.jp/galeach/new65.html asian big dick little ] [http://s1.shard.jp/losaul/mudgee-australia.html a australia in invitation letter of to visit ] [http://s1.shard.jp/olharder/opforce-it-automation.html auto gun maxim semi ] [http://s1.shard.jp/bireba/download-symantec.html norton antivirus symantec help ] [http://s1.shard.jp/losaul/australian-cricket.html australian money open prize ] links [http://s1.shard.jp/olharder/auto-a-vendre.html autojoin ] page [http://s1.shard.jp/bireba/alerta-antiviruses.html antivirus software for server 2003 ] automotive parts software sitemap http [http://s1.shard.jp/galeach/new144.html asia vacation package ] [http://s1.shard.jp/frhorton/yvqavqw7n.html cell c south africa sms ] [http://s1.shard.jp/losaul/newcastle-australia.html australian horse racing record track ] [http://s1.shard.jp/losaul/2006-australia.html extradition treaties australia ] [http://s1.shard.jp/bireba/avp-antivirus-free.html download avp antivirus ] [http://s1.shard.jp/bireba/nortons-antivirus.html symantec antivirus corp ] autoritatea nationala de reglementare in domeniul energiei [http://s1.shard.jp/frhorton/c769e8i7o.html african american writers during the harlem renaissance ] [http://s1.shard.jp/frhorton/bq5czt3ax.html english colonialism in africa ] [http://s1.shard.jp/losaul/compare-flights.html indigenous media australia ] [http://s1.shard.jp/frhorton/928f3x2wr.html african country founded by former american slaves ] [http://s1.shard.jp/losaul/professionals.html epiphytes in australia ] [http://s1.shard.jp/olharder/anderson-autopsy.html autoexpress ] [http://s1.shard.jp/olharder/grand-theft-auto.html automotive position sensor throttle ] [http://s1.shard.jp/olharder/car-ezautoshippersnet.html automated based business business development home personal seekhomebiz.com ] [http://s1.shard.jp/olharder/autokillercom.html auto dealer florida here orlando pay ] [http://s1.shard.jp/bireba/symantec-antivirus.html download avp antivirus ] [http://s1.shard.jp/olharder/auto-copart-sale.html yogi berra autograph ] [http://s1.shard.jp/bireba/etrust-ez-antivirus.html stinger antivirus download free ] [http://s1.shard.jp/bireba/computer-antivirus.html download pc cillin antivirus ] [http://s1.shard.jp/bireba/maafee-antivirus.html kaspersky antivirus personal pro 5.0 crack ] [http://s1.shard.jp/losaul/holiday-accommodation.html meterology bureau australia ] [http://s1.shard.jp/losaul/jamsteraustraliaautomarketsolcomau.html independent schools in south australia ] [http://s1.shard.jp/bireba/symantec-antivirus.html grissoft antivirus ] [http://s1.shard.jp/bireba/review-antivirus.html stinger antivirus tools ] [http://s1.shard.jp/losaul/stihl-australia.html history of unions in australia ] [http://s1.shard.jp/frhorton/map.html african breeder grey parrot ] [http://s1.shard.jp/bireba/winantivirus-pro.html computer associate antivirus ] [http://s1.shard.jp/galeach/new130.html asian community aids services ] [http://s1.shard.jp/galeach/new94.html asia music dvd ]


This page was marked to be reviewed for deletion.


#REDIRECT Integer_overflow


Last revision: 05/30/2009



Description

Integer overflow belongs to a logic errors family. It occurs when a given range of int (integer) type numbers is overflowed due to arithmetic operations. Generally there are only two operations which cause these kind of errors - addition and multiplication.


Risk Factors

TBD

Examples

Example 1 (addition)

rezos@bezel ~/labs/integer $ cat add.c
#include <stdio.h>
#include <limits.h>

int main(void)
{
 int a;

//  a=2147483647;
 a=INT_MAX;

 printf("int a (INT_MAX) = %d (0x%x), int a (INT_MAX) + 1 = %d (0x%x)\n", a,a,a+1,a+1);

 return 0;
}

rezos@bezel ~/labs/integer $ ./add
int a (INT_MAX) = 2147483647 (0x7fffffff), int a (INT_MAX) + 1 = -2147483648 (0x80000000)

By adding 1 to the biggest possible signed (+ or -) integer value we overwrite the sign bit. In short, by adding two positive numbers we get one big negative number.


Example 2 (multiplication)

rezos@bezel ~/labs/integer $ cat multiplication.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

int main(int argc, char **argv)
{
 int i, j, z=0x00000001;
 char *tab;

 if(argc<2) _exit(1);

 i=atoi(argv[1]);

 if(i>0) {
   tab = malloc(i * sizeof(char *));
   if(tab == NULL) _exit(2);
 }

 for(j=0; j<i; j++)
   tab[j]=z++;

 for(j=0; j<i; j++)
   printf("tab[j]=0x%x\n", tab[j]);

 return 0;
}

rezos@bezel ~/labs/integer $ ./multiplication 1073741824
Segmentation fault

The program should write a "z" value into the array of pointers and then print it out. With a specially selected array size (number of its elements) it's possible to use an integer overflow error to overflow the array "tab".

The example below explains why it happens.

rezos@bezel ~/labs/integer $ cat multi.c
#include <stdio.h>

int main(void)
{
 printf ("1073741824 *4 = %d\n", 1073741824 * 4);
 return 0;
}

In this program we multiply 1073741824 * 4 because sizeof(char *) will return 4.

rezos@bezel ~/labs/integer $ gcc -ggdb multi.c -o multi
multi.c: In function 'main':
multi.c:6: warning: integer overflow in expression

The compiler warns us that the program contains an expression which causes an integer overflow. To make sure what the result of the multiplication will be:

rezos@bezel ~/labs/integer $ ./multi
1073741824 *4 = 0

malloc(0) (in the main example) will allocate memory with size 0 correctly(poprawnie)/successfully(z powodzeniem), and that will allow for overwriting memory segments on the heap.

Memory allocation with a negative value may cause allocation of very small or very big memory segments depending on the implementation of the *alloc() functions. Integer overflow errors may also lead to the situation where condition statements, which are supposed to check buffers boundaries, are omitted.

Integer overflow errors are not always a threat themselves. However they provide the possibility to overwrite or to read memory content beyond boudries of the buffers, for example during buffer indexing.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

  • Use programming language and/or compiler, which will check the buffers boundries and their indexes.
  • Use libraries, which provides API for arithmetic operations (e.g. safe_iop[1], IntegerLib[2])
  • Check results of the arithmetic operations, which used integer numbers and compare them with the expected values.

References