Integer Overflows/Underflows


 * 1) REDIRECT Integer_overflow

Last revision: //

Description
Integer overflow belongs to a logic errors family. It occurs when a given range of int (integer) type numbers is overflowed due to arithmetic operations. Generally there are only two operations which cause these kind of errors - addition and multiplication.

Risk Factors
TBD

Examples
Example 1 (addition) rezos@bezel ~/labs/integer $ cat add.c
 * 1) include 
 * 2) include 

int main(void) { int a;

// a=2147483647; a=INT_MAX;

printf("int a (INT_MAX) = %d (0x%x), int a (INT_MAX) + 1 = %d (0x%x)\n", a,a,a+1,a+1);

return 0; }

rezos@bezel ~/labs/integer $ ./add int a (INT_MAX) = 2147483647 (0x7fffffff), int a (INT_MAX) + 1 = -2147483648 (0x80000000) By adding 1 to the biggest possible signed (+ or -) integer value we overwrite the sign bit. In short, by adding two positive numbers we get one big negative number.

Example 2 (multiplication) rezos@bezel ~/labs/integer $ cat multiplication.c
 * 1) include 
 * 2) include 
 * 3) include 
 * 4) include 

int main(int argc, char **argv) { int i, j, z=0x00000001; char *tab;

if(argc<2) _exit(1);

i=atoi(argv[1]);

if(i>0) { tab = malloc(i * sizeof(char *)); if(tab == NULL) _exit(2); }

for(j=0; j

int main(void) { printf ("1073741824 *4 = %d\n", 1073741824 * 4); return 0; } In this program we multiply 1073741824 * 4 because sizeof(char *) will return 4. rezos@bezel ~/labs/integer $ gcc -ggdb multi.c -o multi multi.c: In function 'main': multi.c:6: warning: integer overflow in expression The compiler warns us that the program contains an expression which causes an integer overflow. To make sure what the result of the multiplication will be: rezos@bezel ~/labs/integer $ ./multi 1073741824 *4 = 0 malloc(0) (in the main example) will allocate memory with size 0 correctly(poprawnie)/successfully(z powodzeniem), and that will allow for overwriting memory segments on the heap.

Memory allocation with a negative value may cause allocation of very small or very big memory segments depending on the implementation of the *alloc functions. Integer overflow errors may also lead to the situation where condition statements, which are supposed to check buffers boundaries, are omitted.

Integer overflow errors are not always a threat themselves. However they provide the possibility to overwrite or to read memory content beyond boudries of the buffers, for example during buffer indexing.

Related Threat Agents

 * internal software developer
 * contractors

Related Attacks

 * Buffer overflow

Related Vulnerabilities

 * Integer overflow
 * Stack overflow
 * Heap overflow

Related Controls

 * Use programming language and/or compiler, which will check the buffers boundries and their indexes.
 * Use libraries, which provides API for arithmetic operations (e.g. safe_iop, IntegerLib)
 * Check results of the arithmetic operations, which used integer numbers and compare them with the expected values.