Re: [Security-discuss] handling integer overflows

[Nikos Mavrogiannopoulos]

On 04/01/2012 08:49 AM, Niels Möller wrote:


>>  I was wondering on how other gnu programs handle integer overflows.
> I think in many cases it is simpler and good enough to enforce
> reasonable (butsomewhat arbitrary) limits on the inputs.
> E.g., if you require that all der length fields are less than 2^20,
> that may be sufficient to avoid overflows (assuming that int is at
> least 32 bits). Sure, it's perfectly ok with the spec to include a
> multi-gigabyte cat movie in an x.509 certificate, but that doesn't mean
> that it's a good idea to actually support such certificates.
> 
>> http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=3873c6a49122e3f15901646e072938557acd3f8e
> 
> Some comments:
> 
> 1. Do you really need signed values? For unsigned, addition overflow is
>    sligthly simpler,
>      s = x + y;
>      if (s < x) overflow...


It might be that signed values are not really needed. I'll see whether
the same thing can be achieved with unsigned, which will simplify
things.

> 4. I think this type of code is prone to off-by-one-errors. I haven't
>    tried to check for that, but one has to consider that carefully, and
>    maybe some unit tests would make sense.


Do you mean the code for the safe multiplication/addition or the
original code for parsing asn.1?

regards,
Nikos