- 論壇徽章:
- 20
|
本帖最后由 nswcfd 于 2015-09-17 18:16 編輯
前幾天在版面上問了-1>sizeof(int)之間的關(guān)系 http://www.72891.cn/forum.php?mod=viewthread&tid=4187986
之所以提出這個問題���,是由于看到了一篇介紹integer overflow的帖子 http://www.phrack.org/issues/60/10.html#article
里面談到了一個bug模式
Here is classic example of a signedness bug:
int copy_something(char *buf, int len){
char kbuf[800];
if(len > sizeof(kbuf)){ /* [1] */
return -1;
}
return memcpy(kbuf, buf, len); /* [2] */
}
The problem here is that memcpy takes an unsigned int as the len parameter,
but the bounds check performed before the memcpy is done using signed
integers. By passing a negative value for len, it is possible to pass the
check at [1], but then in the call to memcpy at [2], len will be interpeted
as a huge unsigned value, causing memory to be overwritten well past the
end of the buffer kbuf
個人感覺這個論述有點問題�,如果傳入的len是負值��,那么【1】的判斷應(yīng)該是成立的,
因為sizeof是無符號值��,負值在比較的時候(最高bit是1)����,肯定大于最大的正整數(shù)(最高bit是0),進而大于sizeof(buf)了����。
當(dāng)然,如果在某些平臺下���,如果sizeof不是unsigned���,或者負數(shù)小于無符號數(shù)是成立的,這樣bug就成立了����。
不過問題又來了,什么樣的平臺下此bug成立呢���?
|
|
免費注冊
發(fā)表于 2015-09-17 18:15
