WebApp Sec mailing list archives
Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic)
From: "Eliah Kagan" <degeneracypressure () gmail com>
Date: Tue, 28 Mar 2006 22:53:48 -0500
On 3/29/06, Andrew van der Stock wrote:This is not quite true. Java does not prevent integer overflows (it will not throw an exception). So you still have to be careful about array indexes.
On 3/28/06, michaelslists () gmail com replied:
No you dont.
Arrays are all bounds checked; ..., that is, the following code will
throw an exception:
================================
class Foo {
static {
int[] m = new int[2];
System.out.println(m[34]);
}
}
================================
What do you mean by "overflow"? Do you mean this?
================================
class Foo {
static {
int m = Integer.MAX_VALUE;
int k = Integer.MAX_VALUE + Integer.MAX_VALUE;
System.out.println(m);
System.out.println(k);
System.exit(0);
}
}
================================
if so, I don't see how that is an issue.
-- Michael
That is an issue in a limited way--if you are trying to access a record with a high enough number (say by adding a number to a previous array index), you might end up accessing a record with a low number, which could potentially compromise the security of an application if certain assumptions are made. But this would only be within the same array that is already being accessed. The risk is minimal compared to the risks of accessing past the end of an array in, say, C. Even with bounds checking, there is no general way for a programming language to stop the programmer from writing a program that accesses the wrong piece of data in within a data structure, causing a security problem. Java was never designed to solve this sort of problem. Java does abstract data access so that many common bugs like buffer overflows are prevented, which is very useful. -Eliah ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code, (continued)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 29)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 29)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 27)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Pavel Kankovsky (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code michaelslists (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Andrew van der Stock (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code michaelslists (Mar 28)
- Java integer overflows (was: a really long topic) Andrew van der Stock (Mar 28)
- Re: Java integer overflows (was: a really long topic) michaelslists (Mar 28)
- Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic) Eliah Kagan (Mar 28)
- Re: [Full-disclosure] Re: Java integer overflows (was: a really long topic) michaelslists (Mar 28)
- Re: [Full-disclosure] Re: Java integer overflows (was: a really longtopic) michaelslists (Mar 28)
- Re: [Full-disclosure] Re: Java integer overflows (was: a really longtopic) Eliah Kagan (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 27)
- [Full-disclosure] Re: Java integer overflows (was: a really longtopic) michaelslists (Mar 28)
- Re: Java integer overflows (was: a really long topic) Eoin (Mar 29)
- Re: [Full-disclosure] Java integer overflows (was: a really long topic) Simon Roberts (Mar 29)
- RE: [Full-disclosure] Java integer overflows (was: a really long topic) Tim Hollebeek (Mar 30)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code michaelslists (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code Andrew van der Stock (Mar 28)
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability,Firefox vs IE security, User vs Admin risk profile,and browsers coded in 100% Managed Verifiable code Brian Eaton (Mar 29)