Go4Expert

Go4Expert (http://www.go4expert.com/)
-   C (http://www.go4expert.com/forums/c/)
-   -   atoi() security vulnerability (http://www.go4expert.com/forums/atoi-security-vulnerability-t8090/)

subbu1234 3Jan2008 15:02

atoi() security vulnerability
 
Hi All , i am doing a source code analysis of our product using static analysis tools such as flawfinder and RATS. As per flawfinder atoi() function seems to be having a range problem wherein the resulting number can exceed the expected range and it can go to the negative side. This is happening in Windows XP and not in Linux using gcc. The input is being truncated to the max upper limit of the 2 byte interger value. Can the atoi() function be used safely. If not can anyother function which is not having this problem

Salem 3Jan2008 16:10

Re: atoi() security vulnerability
 
> Can the atoi() function be used safely.
No.

> If not can anyother function which is not having this problem
strtol() is the only safe standard function for converting a string to an int.

> This is happening in Windows XP and not in Linux using gcc.
Which only goes to show that when used outside the spec, anything can happen, including the apparent "correct" result.
AFAIK, atoi() is just a wrapper around strtol() in glibc.

> The input is being truncated to the max upper limit of the 2 byte interger value.
Huh? what compiler are you using?
All the compilers for the operating systems you've mentioned should have 4-byte integers.

subbu1234 3Jan2008 17:35

Re: atoi() security vulnerability
 
hey salem sorry for the incorrect specification. It is 4 bytes. Anyways thanks for the answer can u post a sample code if it is not too much of a problem

Salem 3Jan2008 20:46

Re: atoi() security vulnerability
 
Sample code of what?

subbu1234 4Jan2008 09:33

Re: atoi() security vulnerability
 
Hi Salem can you post a sample cpp source code for strtol() which as per you does not have the range problem ,

oogabooga 9Jan2008 22:41

Re: atoi() security vulnerability
 
Quote:

Originally Posted by Salem
> Can the atoi() function be used safely.
No.

Are you saying that it's a security issue?
How?

Salem 10Jan2008 00:16

Re: atoi() security vulnerability
 
> Are you saying that it's a security issue?
> How?
Because it has no means of detecting or representing numeric overflow (according to it's spec at any rate).

If you were to implement atoi() in a naive manner, then numeric overflow would surely result at some point of a purposely constructed long string.

And since the ANSI C standard allows for the possibility of hardware overflow generating an exception, the whole thing becomes untenable.


All times are GMT +5.5. The time now is 08:11.