基于签名的-整数C中的攻击 [英] C signed-integer-based attacks

问题描述

我在读这个问题并提到一个评论Ç签署─基于整数的攻击。结果

I was reading this question and one of the comments mentioned C signed-integer-based attacks.

我知道是 INT 溢出是什么，但我不明白这怎么能用来攻击
的程序。结果
究竟是通过的意味着攻击的程序？如果你知道程序有这个bug，你怎么使用呢？结果
难道这仅仅限于符号int 。结果
如果是的话，为什么？
什么是C ++的情况下？结果
我道歉，如果问题很琐碎

I know what is an int overflow is, but I don't understand how can this be used to attack a program.
what exactly is meant by attacking a program ? and if you know the program has this bug, how can you use it ?
Is this only limited to signed int.
If yes then why? and what is the case in C++ ?
my apologies if the question is trivial

推荐答案

例如，有从FreeBSD中getpeername函数中的错误。

For example, there was a bug in the getpeername function from FreeBSD.

要说明吧，让我们的函数无效copyFromKernel（字符* DEST，INT大小），从一个受限制的存储区域副本尺寸字节。

To illustrate it, let's take a function void copyFromKernel(char* dest, int size) that copies from a restricted memory area size bytes.

正如你可能已经知道，memcpy函数声明这样的：

As you might already know, the memcpy function is declared like that:

无效*的memcpy（void *的目的，常量无效*源，为size_t NUM）;

在哪里为size_t是无符号的类型。如果我们的功能，我们做这样的事情：

Where size_t is an unsigned type. If in our function, we do something like:

void copy_from_kernel(void *user_dest, int maxlen) {
    int len = KSIZE < maxlen ? KSIZE : maxlen;
    memcpy(user_dest, kbuf, len);
}

，其中KSIZE是我们希望允许用户复制的最大字节数。如果呼叫者对的maxlen发送一个正值，函数按预期工作。但是，如果主叫方发送对的maxlen负值，则比较将通过和memcpy的第三个参数将是负值。由于它转换为无，复制的字节数将是巨大的，因此，主叫方可能会受限制的数据。

, where KSIZE is the maximum number of bytes we want to allow for the user to copy. If the caller sends a positive value for maxlen, the function works as expected. But if the caller sends a negative value for maxlen, then the comparison would pass and memcpy's third parameter would be that negative value. As it is converted to unsigned, the number of bytes copied would be huge, thus the caller may get restricted data.

这篇关于基于签名的-整数C中的攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！