Dreaming in code

Security lesson no.4: Integer overflow

March 02, 2006 10:41
To finish the cycle of lessons on overflow-based attacks, I couldn't miss a mention to integer arithmetic overflow. Integer arithmetic overflow is unharmful on its own, but can be combined with another type of attack, typically a buffer overflow. Consider the following code from a previous lesson:

int ConcatString(char *buf1, char *buf2,
    size_t len1, size_t len2)
{
   char buf[256];
   if((len1 + len2) > 256)
      return -1;
   memcpy(buf, buf1, len1);
   memcpy(buf + len1, buf2, len2);
   return 0;
}

it seems to avoid the buffer overflow problem with a simple check. However, this function is unsecure. Why? Discover it in my slides!

IntOverflow.ppt (128.5 KB)
Tags: Security
March 02, 2006 10:41
Share on Twitter or Facebook
Hello! I'm Lorenzo Dematte, a senior software dev working for Scuderia Ferrari. Facts and opinions expressed in this blog are my own.

Twitter: ldematte
Github: github.com/ldematte
StackOverflow: ldematte

Copyright 2020 - Lorenzo Dematte