C基于有符号整数的攻击 [英] C signed-integer-based attacks
问题描述
我在阅读此问题以及提及的其中一条评论 C signed-基于整数的攻击。
我知道什么是 int 溢出,我不明白这如何用于攻击
a程序。
攻击程序是什么意思?如果你知道程序有这个bug,你该如何使用呢?
这只限于 signed int 。
如果是,那么为什么?
和C ++的情况是什么?
如果问题很小,我道歉
例如,getpeername函数中有一个错误从FreeBSD。
为了说明它,让我们拿一个函数 void copyFromKernel(char * dest,int size)从限制内存区复制 size 字节。
正如你可能已经知道的,memcpy函数声明为:
void * memcpy(void * destination,const void * source,size_t num);
其中size_t是无符号类型。如果在我们的函数中,我们做了如下:
void copy_from_kernel(void * user_dest,int maxlen){
int len = KSIZE< maxlen? KSIZE:maxlen;
memcpy(user_dest,kbuf,len);
}
,其中KSIZE是我们要为用户允许的最大字节数复制。如果调用者发送maxlen的正值,该函数按预期工作。但是如果调用者为maxlen发送一个负值,那么比较将通过,memcpy的第三个参数将是负值。因为它被转换为unsigned,所复制的字节数将是巨大的,因此调用者可能会获得有限的数据。
I was reading this question and one of the comments mentioned C signed-integer-based attacks.
I know what is an int overflow is, but I don't understand how can this be used to attack
a program.
what exactly is meant by attacking a program ? and if you know the program has this bug, how can you use it ?
Is this only limited to signed int.
If yes then why?
and what is the case in C++ ?
my apologies if the question is trivial
For example, there was a bug in the getpeername function from FreeBSD.
To illustrate it, let's take a function void copyFromKernel(char* dest, int size) that copies from a restricted memory area size bytes.
As you might already know, the memcpy function is declared like that:
void * memcpy ( void * destination, const void * source, size_t num );
Where size_t is an unsigned type. If in our function, we do something like:
void copy_from_kernel(void *user_dest, int maxlen) {
int len = KSIZE < maxlen ? KSIZE : maxlen;
memcpy(user_dest, kbuf, len);
}
, where KSIZE is the maximum number of bytes we want to allow for the user to copy. If the caller sends a positive value for maxlen, the function works as expected. But if the caller sends a negative value for maxlen, then the comparison would pass and memcpy's third parameter would be that negative value. As it is converted to unsigned, the number of bytes copied would be huge, thus the caller may get restricted data.
这篇关于C基于有符号整数的攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
