The following code excerpt from OpenSSH 3.3 demonstrates a classic case of integer overflow: nresp = packet_get_int () if ( nresp > 0 ) If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems ( CWE-119). This will result in a very small list to be allocated instead. This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow ( CWE-190). num_imgs = get_num_imgs () table_ptr = ( img_t * ) malloc ( sizeof ( img_t ) * num_imgs ). img_t table_ptr /*struct containing img data, 10kB each*/ int num_imgs. The following image processing code allocates a table for images. Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls. The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc. This is especially the case if the integer overflow can be triggered using user-supplied inputs. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. When this occurs, the value may wrap to become a very small or negative number. An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |