Go4Expert

Go4Expert (http://www.go4expert.com/)
-   C (http://www.go4expert.com/articles/c-tutorials/)
-   -   Integer Overflow (Bugs) in C (http://www.go4expert.com/articles/integer-overflow-bugs-c-t26079/)

lionaneesh 16Jun2011 22:18

Integer Overflow (Bugs) in C
 
Integers is a fundamental data type in a C program, They are used to represent a finite subset of mathematical integers, C Provides us with a suite of functions, and quite a lot of modifiers for manipulating these integers , but if these functions and modifiers are not used properly and carefully they can lead top disastrous results like failing of a Program Logic , Security breach , A break in authentication applications etc.

Integer Overflow



Integer data types in C have a fixed size and limits and which cannot be changed dynamically, This drawback have resulted in a bug commonly known as ‘Integer Overflow bugs’. These bugs are one of the difficult bugs to track down and fix. It happens When an arithmetic operation attempts to create a numeric value that is larger than can be represented within available storage space.

Basically what happens is , As we add 1 to the maximum value than can be represented within a storage space , The integer overflows and resets to the minimum value it can hold .

To make it simple let’s take an example of a odometer (non-digital) an odometer is used to measure distances and it consists of different rings! When odometer reaches its maximum value i.e some 9999’s after that it rolls over to its lowest value i.e 0.

Demonstration



Bug.c
Code:

  #include<stdio.h>
 
  int main()
  {
      int i=0;
 
      scanf("%d",&i);
 
      printf("Value %d" , i);
     
      return(0);
  }

Compiling :-
Code:

  gcc Bug.c –o Bug
Input : 1

Ouput :-
Code:

  1
  Value 1

Input : 2147483648
Code:

  2147483648
  Value -2147483648

Boom! See what just happened we have carried a successful Integer overflow attack o our application.

How it happened

I am currently using a 32 bit GCC compiler , with MAXIMUM integer limit set to 2147483647 , So as we add one more to it resets back to its minimum value i.e -2147483648.

This was just an example of how these bugs can be demonstrated , and believe me if you pick up 10 normal C applications and test them for these bugs I guarantee you’ll find at least one of them which is vulnerable.

A Challenge



In the following challenge, You have to force the application to print the success message.

Code:

  #include<stdio.h>
 
  void printInt(unsigned int i)
  {
      if(i > 100)
      {
          printf("Success ! You did it!\nValue of Int : %u",i);
          return(0);
      }
  }
 
  int main()
  {
      int i=0;
 
      scanf("%d",&i);
 
      if(i > 100)
      {
          return(-1);
      }
      printInt(i);
      return(0);
  }

It may seem impossible at first, Read the article once more check if you are missing something , Read the Code carefully and you’ll get your solution.


Solution (don’t check it , at least before trying) :-


Give the input as ‘-1’
Code:

  -1
  Success ! You did it!
  Value of Int : 4294967295

That’s all for this tutorial , Stay tuned for more!

lionaneesh 17Jun2011 07:44

Re: Integer Overflow (Bugs) in C
 
Thanks for accepting my article , I hope the viewers will like it!

Avenger625 17Jun2011 23:24

Re: Integer Overflow (Bugs) in C
 
I understood both of the codes - the Bug.c and the next one. I also understood, why such outputs are shown. But i did not get the link between the problem (Integer Overflow Bug) and the Challenge. I mean is "Challenge" a solution to the Bug.....the two codes are quite different in purpose, you see Bug.c adds and stores a no. into an integer variable that causes an overflow.
I simply could not link the 2 parts of the tutorial. Please, explain.....

And did we specifically use "100"????
Quote:


if(i > 100)
....


lionaneesh 18Jun2011 12:18

Re: Integer Overflow (Bugs) in C
 
Quote:

Originally Posted by Avenger625 (Post 84256)
I understood both of the codes - the Bug.c and the next one. I also understood, why such outputs are shown. But i did not get the link between the problem (Integer Overflow Bug) and the Challenge. I mean is "Challenge" a solution to the Bug.....the two codes are quite different in purpose, you see Bug.c adds and stores a no. into an integer variable that causes an overflow.
I simply could not link the 2 parts of the tutorial. Please, explain.....

And did we specifically use "100"????

The challenge was related to the tutorial , because we needed to overflow the Unsigned int (data type) in C , If you have been Coding in C , You must know that unsigned int starts from 0 , and if -1 is provided it overflows to the highest value it can hold. I hope this makes it clear!


All times are GMT +5.5. The time now is 14:29.