- 论坛徽章:
- 20
|
本帖最后由 nswcfd 于 2015-09-17 18:16 编辑
前几天在版面上问了-1>sizeof(int)之间的关系 http://bbs.chinaunix.net/forum.php?mod=viewthread&tid=4187986
之所以提出这个问题,是由于看到了一篇介绍integer overflow的帖子 http://www.phrack.org/issues/60/10.html#article
里面谈到了一个bug模式
Here is classic example of a signedness bug:
int copy_something(char *buf, int len){
char kbuf[800];
if(len > sizeof(kbuf)){ /* [1] */
return -1;
}
return memcpy(kbuf, buf, len); /* [2] */
}
The problem here is that memcpy takes an unsigned int as the len parameter,
but the bounds check performed before the memcpy is done using signed
integers. By passing a negative value for len, it is possible to pass the
check at [1], but then in the call to memcpy at [2], len will be interpeted
as a huge unsigned value, causing memory to be overwritten well past the
end of the buffer kbuf
个人感觉这个论述有点问题,如果传入的len是负值,那么【1】的判断应该是成立的,
因为sizeof是无符号值,负值在比较的时候(最高bit是1),肯定大于最大的正整数(最高bit是0),进而大于sizeof(buf)了。
当然,如果在某些平台下,如果sizeof不是unsigned,或者负数小于无符号数是成立的,这样bug就成立了。
不过问题又来了,什么样的平台下此bug成立呢?
|
|