Code fragments from two real-world instances
Browsing through the CERT Vulnerability Notes Database
over the last five years shows more than 70 integer overflow vulnerabilities that have led to critical security patches in widely-used software from commercial vendors such as Microsoft, Apple and Adobe, as well as open-source software such as Linux, X and Mozilla.
Practically all of the vulnerabilities involve arithmetic operations (add, subtract or multiply) on untrusted, user-modifiable values, where the potentially overflowing resultant value is used as argument to a critical operation such as memory allocation or buffer indexing. Code fragments from two real-world instances are shown below.
The first instance involves Gaim, the multi-protocol instant messaging client for Linux, BSD, MacOS X and Windows, and the second instance involves a libXpm example from X.Org.
Real-world instance No. 1:
GAIM example: Integer overflow in receiving DirectIM packets
In the example from GAIM, a user-supplied payload length of UINT_MAX will cause an integer overflow within the second parameter of calloc and only allocate a 0 byte buffer. After allocating the 0 byte buffer to msg, aim_recv() is called repeatedly by the while loop to read and overwrite msg with up to 4GB of data!
Real-world instance No. 2:
libXpm example from X.Org: Integer overflow in libXpm library (more here and here):
In the example from X.Org, image->ncolors is user supplied. By choosing a value that is greater than UINT_MAX/sizeof(Pixel), a malicious user can overflow the argument to XpmMalloc, causing image pixels to have far fewer bytes than expected, causing a potential denial of service (DoS) and loss of availability.
By utilizing innovative technology to improve our source code, just as governments innovate to protect their currency, we can eventually make hard-to-find vulnerabilities such as integer overflows as easy to spot as a 3-dollar bill.
Dr. Sumant Kowshik is a static analysis expert and engineer at Coverity. Sumant is involved in the research and engineering of many aspects of Coverity's C/C++ static analysis. Most recently, Sumant co-invented and developed the first commercial SAT-based analysis, which received several industry awards for being one of the best innovations in embedded system tools.
More generally, Sumant is broadly interested in the problem of building dependable and secure software. Prior to joining Coverity, Sumant got his PhD in Computer Science from the University of Illinois at Urbana-Champaign, and a B.Tech in Computer Science from The Indian Institute of Technology, Madras, India. He can be reached at firstname.lastname@example.org.