Comments on: How not to fix buffer overflows http://jens.mooseyard.com/2007/07/how-not-to-fix-buffer-overflows/ Little boxes made of words, by Jens Alfke Sun, 02 May 2010 05:43:47 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: evan (LJ) http://jens.mooseyard.com/2007/07/how-not-to-fix-buffer-overflows/comment-page-1/#comment-2090 evan (LJ) Tue, 17 Jul 2007 21:40:57 +0000 http://mooseyard.com/Jens/2007/07/how-not-to-fix-buffer-overflows/#comment-2090 There is no "rethink", there is only "run screaming in terror". Seriously, it's known Bad Software. There is no “rethink”, there is only “run screaming in terror”. Seriously, it’s known Bad Software.

]]> By: Jens Alfke http://jens.mooseyard.com/2007/07/how-not-to-fix-buffer-overflows/comment-page-1/#comment-2089 Jens Alfke Tue, 17 Jul 2007 05:25:51 +0000 http://mooseyard.com/Jens/2007/07/how-not-to-fix-buffer-overflows/#comment-2089 With gcc you need to explicitly enable the signed-unsigned-assignment warning ... and I wouldn't be surprised if PHP spews out tons of warnings as it builds (too much code I've seen does. I always build with warnings=errors.) With gcc you need to explicitly enable the signed-unsigned-assignment warning … and I wouldn’t be surprised if PHP spews out tons of warnings as it builds (too much code I’ve seen does. I always build with warnings=errors.)

]]> By: fluffy http://jens.mooseyard.com/2007/07/how-not-to-fix-buffer-overflows/comment-page-1/#comment-2088 fluffy Tue, 17 Jul 2007 04:51:31 +0000 http://mooseyard.com/Jens/2007/07/how-not-to-fix-buffer-overflows/#comment-2088 That reminds me of one time when I was a judge at the local ACM programming contest. One of the questions was to write a program to compute the Nth Fibonacci number - with the twist that N could be pretty large (so F(n) would have been greater than MAX_LONG). One of the teams of course did a naive implementation and when they found they had overflow problems, they switched to using longs - but that still wasn't enough for some of the test cases, so they switched to doubles. When that failed to work they complained about how our compilers were "broken" and refused to accept that they didn't get that problem right. Finally during the awards ceremony (when they staged a little protest) one of the other judges and I explained the difference between magnitude and precision and they were sufficiently shamed/embarrassed. The fact that PHP makes the same CS101 mistake, however... holy fucking ugh. That reminds me of one time when I was a judge at the local ACM programming contest. One of the questions was to write a program to compute the Nth Fibonacci number - with the twist that N could be pretty large (so F(n) would have been greater than MAX_LONG). One of the teams of course did a naive implementation and when they found they had overflow problems, they switched to using longs - but that still wasn’t enough for some of the test cases, so they switched to doubles. When that failed to work they complained about how our compilers were “broken” and refused to accept that they didn’t get that problem right.

Finally during the awards ceremony (when they staged a little protest) one of the other judges and I explained the difference between magnitude and precision and they were sufficiently shamed/embarrassed.

The fact that PHP makes the same CS101 mistake, however… holy fucking ugh.

]]> By: rpkrajewski (LJ) http://jens.mooseyard.com/2007/07/how-not-to-fix-buffer-overflows/comment-page-1/#comment-2087 rpkrajewski (LJ) Tue, 17 Jul 2007 03:38:52 +0000 http://mooseyard.com/Jens/2007/07/how-not-to-fix-buffer-overflows/#comment-2087 I saw the link in your del.icio.us link, and was aghast. For once my smug prejudices were roundly confirmed. One thing puzzles me, though. calloc's parameters are size_t's, not int's. The size_t type by its nature is unsigned. A strict compiler should warn about trying to fit a signed quantity in the space of the unsigned one when the bit widths of both are the same. (Conversions like unsigned char to signed int are perfectly OK, though; signed to unsigned conversions are never safe.) Even if PHP does not have unsigned int types at the interpreter level, it would seem like you would want to sanitize the integer parameters higher up in the "chunk" routine (i.e., where negative nunbers are already nonsense). At low levels, you could sanity check memory allocations checking against SIZE_MAX (Google around for it). [Please delete my first empty comment.] I saw the link in your del.icio.us link, and was aghast. For once my smug prejudices were roundly confirmed.

One thing puzzles me, though. calloc’s parameters are size_t’s, not int’s. The size_t type by its nature is unsigned. A strict compiler should warn about trying to fit a signed quantity in the space of the unsigned one when the bit widths of both are the same. (Conversions like unsigned char to signed int are perfectly OK, though; signed to unsigned conversions are never safe.) Even if PHP does not have unsigned int types at the interpreter level, it would seem like you would want to sanitize the integer parameters higher up in the “chunk” routine (i.e., where negative nunbers are already nonsense). At low levels, you could sanity check memory allocations checking against SIZE_MAX (Google around for it).

[Please delete my first empty comment.]

]]> By: rpkrajewski (LJ) http://jens.mooseyard.com/2007/07/how-not-to-fix-buffer-overflows/comment-page-1/#comment-2086 rpkrajewski (LJ) Tue, 17 Jul 2007 03:23:13 +0000 http://mooseyard.com/Jens/2007/07/how-not-to-fix-buffer-overflows/#comment-2086