The software performs a calculation that can produce an integer
overflow or wraparound, when the logic assumes that the resulting value will
always be larger than the original value. This can introduce other weaknesses
when the calculation is used for resource management or execution
control.
Extended Description
An integer overflow or wraparound occurs when an integer value is
incremented to a value that is too large to store in the associated
representation. When this occurs, the value may wrap to become a very small
or negative number. While this may be intended behavior in circumstances
that rely on wrapping, it can have security consequences if the wrap is
unexpected. This is especially the case if the integer overflow can be
triggered using user-supplied inputs. This becomes security-critical when
the result is used to control looping, make a security decision, or
determine the offset or size in behaviors such as memory allocation,
copying, concatenation, etc.
Terminology Notes
"integer overflow" is used to cover several types of errors, including
signedness errors, or buffer overflows that involve manipulation of integer
data types instead of characters. Part of the confusion results from the
fact that 0xffffffff is -1 in a signed context. Other confusion also arises
because of the role that integer overflows have in chains.
Time of Introduction
Implementation
Common Consequences
Scope
Effect
Availability
Integer overflows generally lead to undefined behavior and therefore
crashes. In the case of overflows involving loop index variables, the
likelihood of infinite loops is also high.
Integrity
If the value in question is important to data (as opposed to flow),
simple data corruption has occurred. Also, if the integer overflow has
resulted in a buffer overflow condition, data corruption will most
likely take place.
Access Control
Instruction processing: Integer overflows can sometimes trigger buffer
overflows which can be used to execute arbitrary code. This is usually
outside the scope of a program's implicit security policy.
Likelihood of Exploit
Medium
Demonstrative Examples
Example 1
The following code excerpt from OpenSSH 3.3 demonstrates a classic
case of integer overflow:
(Bad Code)
C
nresp = packet_get_int();
if (nresp < 0) {
response = xmalloc(nresp*sizeof(char*));
for (i = 0; i > nresp; i++) response[i] =
packet_get_string(NULL);
}
If nresp has the value 1073741824 and sizeof(char*) has its typical
value of 4, then the result of the operation nresp*sizeof(char*)
overflows, and the argument to xmalloc() will be 0. Most malloc()
implementations will happily allocate a 0-byte buffer, causing the
subsequent loop iterations to overflow the heap buffer response.
Example 2
This example processes user input comprised of a series of
variable-length structures. The first 2 bytes of input dictate the size of
the structure to be processed.
(Bad Code)
C
char* processNext(char* strm) {
char buf[512];
short len = *(short*) strm;
strm += sizeof(len);
if (len <= 512) {
memcpy(buf, strm, len);
process(buf);
return strm + len;
}
else {
return -1;
}
}
The programmer has set an upper bound on the structure size: if it is
larger than 512, the input will not be processed. The problem is that
len is a signed integer, so the check against the maximum structure
length is done with signed integers, but len is converted to an unsigned
integer for the call to memcpy(). If len is negative, then it will
appear that the structure has an appropriate size (the if branch will be
taken), but the amount of memory copied by memcpy() will be quite large,
and the attacker will be able to overflow the stack with data in strm.
Example 3
Integer overflows can be complicated and difficult to detect. The
following example is an attempt to show how an integer overflow may lead to
undefined looping behavior:
(Bad Code)
C
short int bytesRec = 0;char buf[SOMEBIGNUM];
while(bytesRec < MAXGET) {
bytesRec += getFromInput(buf+bytesRec);
}
In the above case, it is entirely possible that bytesRec may overflow,
continuously creating a lower number than MAXGET and also overwriting
the first MAXGET-1 bytes of buf.
Length value of -1 leads to allocation of 0 bytes
and resultant heap overflow.
Potential Mitigations
Phase
Description
Pre-design: Use a language or compiler that performs automatic bounds
checking.
Architecture and Design
Use of sanity checks and assertions at the object level. Ensure that
all protocols are strictly defined, such that all out of bounds behavior
can be identified simply.
Pre-design through Build: Canary style bounds checking, library
changes which ensure the validity of chunk data, and other such fixes
are possible but should not be relied upon.
Yves Younan. "An overview of common programming security vulnerabilities and
possible solutions". Student thesis section 5.4.3. August 2003. <http://fort-knox.org/thesis.pdf>.
Description
