lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Mar 29 08:19:10 2006
From: vanderaj at greebo.net (Andrew van der Stock)
Subject: Java integer overflows (was: a really long topic)

I'm not talking arbitrary code execution, I'm talking about odd code  
paths, bizarre outcomes, and DoS.

For example (found via 19 Sins, Viega, Howard and LeBlanc):
http://seclists.org/lists/bugtraq/2004/Nov/0097.html

I know Michael reads webappsec, he may have more examples.

In my own code testing, I look for silly behaviors if a user can  
insert a large or negative number. You'd be surprised how often it  
occurs. There is no excuse not to include basic range checks when  
performing data validation.

thanks,
Andrew

On 29/03/2006, at 2:30 PM, michaelslists@...il.com wrote:

> No you dont.
>
> Arrays are all bounds checked; ..., that is, the following code will
> throw an exception:
>
> ================================
> class Foo {
>   static {
>     int[] m = new int[2];
>     System.out.println(m[34]);
>   }
> }
> ================================
>
>
> What do you mean by "overflow"? Do you mean this?
>
> ================================
> class Foo {
>   static {
>     int m = Integer.MAX_VALUE;
>     int k = Integer.MAX_VALUE + Integer.MAX_VALUE;
>     System.out.println(m);
>     System.out.println(k);
>     System.exit(0);
>   }
> }
> ================================
>
> if so, I don't see how that is an issue.
>
> -- Michael
>
>
>
> On 3/29/06, Andrew van der Stock <vanderaj@...ebo.net> wrote:
>> This is not quite true.
>>
>> Java does not prevent integer overflows (it will not throw an
>> exception). So you still have to be careful about array indexes.
>>
>> Andrew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2234 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060329/344704c4/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ