Me: OpenSSH is one of the most secure apps ever written, even in C C Haters: no it’s not! Several RCE bugs! Me: prove it. Show me a working exploit. *crickets* FUD and Security pedanticism is unbecoming of our insustry, Pals.
-
-
So, if I understand correctly, n could overflow by choosing a big enough count and a big-sized struct foo. Now I see it. Thx
-
You'd think that this would be covered by checking whether n is less than zero, which it would be if it overflowed, right? The gotcha here is that it isn't, due to interaction with the optimizer.
End of conversation
New conversation -
-
-
Am I being dumb? Compiling with -O3 (https://godbolt.org/g/WmFJ63 ) turns the comparison into an unsigned compare, so anything negative will be “too big” for the comparison and not hit the memcpy?
-
I screwed up the example. If you look closely, you'll notice it will call memcpy for n=0. Which is not what the code intends to do, but not exploitable either.
End of conversation
New conversation -
-
-
you sure you understand your own example? :) there's no UB in your code because 1. the multiplication is done in size_t (due to sizeof), 2. the int->size_t conversion is well defined, 3. the size_t->int conversion is implementation defined.
-
You're right of course, this is what's going on. I accidentally demoed a different UB ("implementation defined" is just another way of saying "undefined behaviour").
-
no, it's not, the two are very different. one results in a defined program, the other does not. now whether you like the resulting defined behaviour is another question which is why programmers have the task of, well, doing their job and write programs with desirable behaviour :)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
. Besides, having bugs isn’t the issue. Resolving, reducing, and remaining well architected is the point.