Linked by Thom Holwerda on Thu 23rd May 2013 23:22 UTC
X11, Window Managers "Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org's security team to analyze, confirm, and fix these issues."
Thread beginning with comment 562574
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Overflowing
by Brendan on Fri 24th May 2013 04:25 UTC in reply to "Overflowing"
Brendan
Member since:
2005-11-16

Hi,

Surely there should be some automated process just to go through and check for this kind of fundamental error.


The problem is that for some languages (C, C++) it's impossible to (e.g) tell the difference between a potential overflow that can't happen, an intentional potential overflow that is meant to happen, and an erroneous potential overflow.

For a simple example consider this:

int foo(int b, int c) {
int a = b + c;
return a;
}

This is a potential overflow, but can it happen (you'd have to analyse all the callers to determine the range/s of values that might be passed), and if it can happen is it intentional?

The other problem is that these languages don't support range limiting. For example, you can't do something like "typedef int range 1 to 12 monthType;". This means that if you solve the first problem you still can't determine when something is out of range.

The end result is that it's impossible for a tool to detect when a programmer has failed to validate data from an external source.

- Brendan

Reply Parent Score: 3

RE[2]: Overflowing
by Alfman on Fri 24th May 2013 15:14 in reply to "RE: Overflowing"
Alfman Member since:
2011-01-28

Brendan,

"The problem is that for some languages (C, C++) it's impossible to (e.g) tell the difference between a potential overflow that can't happen, an intentional potential overflow that is meant to happen, and an erroneous potential overflow."


It's true the C language doesn't do a good job of allowing the programmer to express intent with regards to overflow. I've always been disappointed that it doesn't even expose a carry flag given how indispensable it is for multi-word algorithms. In retrospect, it was a mistake not to expose overflow.

Many languages allow the compiler to handle numeric overflow, I don't really know why C doesn't.

http://www.codeproject.com/Articles/7776/Arithmetic-Overflow-Checki...


Still, an unchecked structural bounds overflow is far worse since the unbounded access to this structure (via indexes/pointers) can give an attacker a window to the entire process space. While C could help here by implementing range checked array access, there's no trivial way to guarantee the validity of code that uses pointers. Of course, managed languages don't bother offering them for this reason.

Reply Parent Score: 2