1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

atoi() security vulnerability

Discussion in 'C' started by subbu1234, Jan 3, 2008.

  1. subbu1234

    subbu1234 New Member

    Joined:
    Jan 3, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    Hi All , i am doing a source code analysis of our product using static analysis tools such as flawfinder and RATS. As per flawfinder atoi() function seems to be having a range problem wherein the resulting number can exceed the expected range and it can go to the negative side. This is happening in Windows XP and not in Linux using gcc. The input is being truncated to the max upper limit of the 2 byte interger value. Can the atoi() function be used safely. If not can anyother function which is not having this problem
     
  2. Salem

    Salem New Member

    Joined:
    Nov 15, 2007
    Messages:
    133
    Likes Received:
    5
    Trophy Points:
    0
    Occupation:
    Please don't PM me for 1:1 support.
    > Can the atoi() function be used safely.
    No.

    > If not can anyother function which is not having this problem
    strtol() is the only safe standard function for converting a string to an int.

    > This is happening in Windows XP and not in Linux using gcc.
    Which only goes to show that when used outside the spec, anything can happen, including the apparent "correct" result.
    AFAIK, atoi() is just a wrapper around strtol() in glibc.

    > The input is being truncated to the max upper limit of the 2 byte interger value.
    Huh? what compiler are you using?
    All the compilers for the operating systems you've mentioned should have 4-byte integers.
     
  3. subbu1234

    subbu1234 New Member

    Joined:
    Jan 3, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    hey salem sorry for the incorrect specification. It is 4 bytes. Anyways thanks for the answer can u post a sample code if it is not too much of a problem
     
  4. Salem

    Salem New Member

    Joined:
    Nov 15, 2007
    Messages:
    133
    Likes Received:
    5
    Trophy Points:
    0
    Occupation:
    Please don't PM me for 1:1 support.
    Sample code of what?
     
  5. subbu1234

    subbu1234 New Member

    Joined:
    Jan 3, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    Hi Salem can you post a sample cpp source code for strtol() which as per you does not have the range problem ,
     
  6. oogabooga

    oogabooga New Member

    Joined:
    Jan 9, 2008
    Messages:
    115
    Likes Received:
    11
    Trophy Points:
    0
    Are you saying that it's a security issue?
    How?
     
  7. Salem

    Salem New Member

    Joined:
    Nov 15, 2007
    Messages:
    133
    Likes Received:
    5
    Trophy Points:
    0
    Occupation:
    Please don't PM me for 1:1 support.
    > Are you saying that it's a security issue?
    > How?
    Because it has no means of detecting or representing numeric overflow (according to it's spec at any rate).

    If you were to implement atoi() in a naive manner, then numeric overflow would surely result at some point of a purposely constructed long string.

    And since the ANSI C standard allows for the possibility of hardware overflow generating an exception, the whole thing becomes untenable.
     
    shabbir likes this.

Share This Page