atoi() security vulnerability

subbu1234's Avatar, Join Date: Jan 2008
Newbie Member
Hi All , i am doing a source code analysis of our product using static analysis tools such as flawfinder and RATS. As per flawfinder atoi() function seems to be having a range problem wherein the resulting number can exceed the expected range and it can go to the negative side. This is happening in Windows XP and not in Linux using gcc. The input is being truncated to the max upper limit of the 2 byte interger value. Can the atoi() function be used safely. If not can anyother function which is not having this problem
0
Salem's Avatar, Join Date: Nov 2007
Ambitious contributor
> Can the atoi() function be used safely.
No.

> If not can anyother function which is not having this problem
strtol() is the only safe standard function for converting a string to an int.

> This is happening in Windows XP and not in Linux using gcc.
Which only goes to show that when used outside the spec, anything can happen, including the apparent "correct" result.
AFAIK, atoi() is just a wrapper around strtol() in glibc.

> The input is being truncated to the max upper limit of the 2 byte interger value.
Huh? what compiler are you using?
All the compilers for the operating systems you've mentioned should have 4-byte integers.
0
subbu1234's Avatar, Join Date: Jan 2008
Newbie Member
hey salem sorry for the incorrect specification. It is 4 bytes. Anyways thanks for the answer can u post a sample code if it is not too much of a problem
0
Salem's Avatar, Join Date: Nov 2007
Ambitious contributor
Sample code of what?
0
subbu1234's Avatar, Join Date: Jan 2008
Newbie Member
Hi Salem can you post a sample cpp source code for strtol() which as per you does not have the range problem ,
0
oogabooga's Avatar
Ambitious contributor
Quote:
Originally Posted by Salem
> Can the atoi() function be used safely.
No.
Are you saying that it's a security issue?
How?
0
Salem's Avatar, Join Date: Nov 2007
Ambitious contributor
> Are you saying that it's a security issue?
> How?
Because it has no means of detecting or representing numeric overflow (according to it's spec at any rate).

If you were to implement atoi() in a naive manner, then numeric overflow would surely result at some point of a purposely constructed long string.

And since the ANSI C standard allows for the possibility of hardware overflow generating an exception, the whole thing becomes untenable.