WebApp Sec mailing list archives
Re: Java integer overflows (was: a really long topic)
From: michaelslists () gmail com
Date: Wed, 29 Mar 2006 14:50:10 +1100
right, but we're talking about unmanaged vs managed, and the earlier poster (i think it might've been "pavel" [sorry if it wasn't]), said that 100% java is still vulnerable to buffer overflows. the fact is that it isn't. -- Michael On 3/29/06, Andrew van der Stock <vanderaj () greebo net> wrote:
I'm not talking arbitrary code execution, I'm talking about odd code paths, bizarre outcomes, and DoS. For example (found via 19 Sins, Viega, Howard and LeBlanc): http://seclists.org/lists/bugtraq/2004/Nov/0097.html I know Michael reads webappsec, he may have more examples. In my own code testing, I look for silly behaviors if a user can insert a large or negative number. You'd be surprised how often it occurs. There is no excuse not to include basic range checks when performing data validation. thanks, Andrew On 29/03/2006, at 2:30 PM, michaelslists () gmail com wrote:No you dont. Arrays are all bounds checked; ..., that is, the following code will throw an exception: ================================ class Foo { static { int[] m = new int[2]; System.out.println(m[34]); } } ================================ What do you mean by "overflow"? Do you mean this? ================================ class Foo { static { int m = Integer.MAX_VALUE; int k = Integer.MAX_VALUE + Integer.MAX_VALUE; System.out.println(m); System.out.println(k); System.exit(0); } } ================================ if so, I don't see how that is an issue. -- Michael On 3/29/06, Andrew van der Stock <vanderaj () greebo net> wrote:This is not quite true. Java does not prevent integer overflows (it will not throw an exception). So you still have to be careful about array indexes. Andrew
------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code, (continued)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 29)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 29)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 27)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code michaelslists (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Andrew van der Stock (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code michaelslists (Mar 28)
- Java integer overflows (was: a really long topic) Andrew van der Stock (Mar 28)
- Re: Java integer overflows (was: a really long topic) michaelslists (Mar 28)
- Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic) Eliah Kagan (Mar 28)
- Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic) michaelslists (Mar 28)
- Re: [Full-disclosure] Re: Java integer overflows (was: a really longtopic) michaelslists (Mar 28)
- Re: [Full-disclosure] Re: Java integer overflows (was: a really longtopic) Eliah Kagan (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- [Full-disclosure] Re: Java integer overflows (was: a really longtopic) michaelslists (Mar 28)
- Re: Java integer overflows (was: a really long topic) Eoin (Mar 29)
- Re: [Full-disclosure] Java integer overflows (was: a really long topic) Simon Roberts (Mar 29)
- RE: [Full-disclosure] Java integer overflows (was: a really long topic) Tim Hollebeek (Mar 30)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code michaelslists (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code Andrew van der Stock (Mar 28)