Vulnerability Development mailing list archives
Overflows due to unexpected casts
From: mixter () NEWYORKOFFICE COM (Mixter)
Date: Thu, 20 Jan 2000 20:06:35 +0100
I have lately examined some of my own source, and the source of mpg123,
because I had experienced some strange segv's. I found that the reason of
some segmentation faults were buffer overflows caused by bad conversions.
Almost all bounds checking functions like like memcpy, strncpy, snprintf,
etc. use integers which are, of course, unsigned, for the buffer size
argument. However, programs commonly use to pass signed integers or
signed long integers to those functions. In the rare, but possible condition
that such an integer is <= 0, the conversion to an unsigned int (which is done
implicity by passing it as argument to the bounds checking function) will
result in unexpected behavior... the LSB that is used to determine signedness
is a part of the numeric value in unsigned variables, which results in...
(signed int) -1 == (unsigned int) UINT_MAX
(printf ("%u\n", -1); will show that UINT_MAX is usually 4294967295)
I found that this is the cause of a segfault in mpg123 ver. 0.59q,
which happens when invalid layer3 data is read from an mpeg file...
do_layer3()/layer3.c fetches header information, including a length value,
from the mpeg3 stream, and calls set_pointer()/common.c with this value
without further checking it, which looks like this:
void set_pointer(long backstep)
{
wordpointer = bsbuf + ssize - backstep;
if (backstep)
memcpy(wordpointer,bsbufold+fsizeold-backstep,backstep);
bitindex = 0;
}
Note that the function performs a check, which is however insufficient..
"if (backstep) ..." will only prevent the integer from being exactly 0, not
from having a negative value. Therefore, if receiving -1 as buffer length,
memcpy can be instructed to copy up to 4294967295 bytes from src to dest.
This is obviously a bad thing, and I think that many programs could suffer
from this condition, if they do not check for values smaller than zero,
before passing them to functions that treat them as unsigned integers.
Please note that the impact in mpg123 is minimal, as it probably can only
be crashed. It is just used to illustrate the problem that might be present
in other applications.
A thing which I am not certain about is, could such overflows be used to
execute arbitrary code? E.g., will they always segfault prior to the point
of copying the huge strings to the destination, or do they first try to
return, leaving the possibility of executing code on the stack? Anyways,
I think this kind of conversion needs to be done with care in server
applications which determine the input size in any way by obtaining it
from the data stream (e.g. DNS protocol), because there could be at least
the possibility to remotely crash server applications with this bug.
Mixter
________________________
mixter () newyorkoffice com
http://1337.tsx.org
mkdir -p `perl -e 'printf "a/" x 1000'`
Current thread:
- Re: ICQ >= 99* + CC Data Ken Williams (Jan 17)
- <Possible follow-ups>
- Re: ICQ >= 99* + CC Data Sachs, Marcus (Jan 17)
- Re: ICQ >= 99* + CC Data Jon Hadley (Jan 17)
- Re: ICQ >= 99* + CC Data Blue Boar (Jan 17)
- Re: ICQ >= 99* + CC Data Mikael Olsson (Jan 18)
- R: Re: ICQ >= 99* + CC Data Raistlin (Jan 19)
- Re: ICQ >= 99* + CC Data Taavet Hinrikus (Jan 20)
- Re: R: Re: ICQ >= 99* + CC Data C. C. Camp (Jan 20)
- Overflows due to unexpected casts Mixter (Jan 20)
- Re: ICQ >= 99* + CC Data Blue Boar (Jan 17)
- Re: ICQ >= 99* + CC Data Jon Hadley (Jan 18)
- Re: ICQ >= 99* + CC Data Flynn, Harold M. III (Jan 18)