[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Re: Java integer overflows (was: a really long topic)
- To: "Andrew van der Stock" <vanderaj@xxxxxxxxxx>
- Subject: [Full-disclosure] Re: Java integer overflows (was: a really long topic)
- From: Eoin <eoinkeary@xxxxxxxxx>
- Date: Wed, 29 Mar 2006 10:41:29 +0100
Hello,
Even though java throws an exception if a catch is not present the
thread is killed.
The code that threw the exception is never resumed.
Also using a finally block can ensure things stop gracefully.
Developers (I used to be one) also catch exceptions and bury them by
not doing anything with them.
-ek
On 29/03/06, Andrew van der Stock <vanderaj@xxxxxxxxxx> wrote:
> I'm not talking arbitrary code execution, I'm talking about odd code
> paths, bizarre outcomes, and DoS.
>
> For example (found via 19 Sins, Viega, Howard and LeBlanc):
> http://seclists.org/lists/bugtraq/2004/Nov/0097.html
>
> I know Michael reads webappsec, he may have more examples.
>
> In my own code testing, I look for silly behaviors if a user can
> insert a large or negative number. You'd be surprised how often it
> occurs. There is no excuse not to include basic range checks when
> performing data validation.
>
> thanks,
> Andrew
>
> On 29/03/2006, at 2:30 PM, michaelslists@xxxxxxxxx wrote:
>
> > No you dont.
> >
> > Arrays are all bounds checked; ..., that is, the following code will
> > throw an exception:
> >
> > ================================
> > class Foo {
> > static {
> > int[] m = new int[2];
> > System.out.println(m[34]);
> > }
> > }
> > ================================
> >
> >
> > What do you mean by "overflow"? Do you mean this?
> >
> > ================================
> > class Foo {
> > static {
> > int m = Integer.MAX_VALUE;
> > int k = Integer.MAX_VALUE + Integer.MAX_VALUE;
> > System.out.println(m);
> > System.out.println(k);
> > System.exit(0);
> > }
> > }
> > ================================
> >
> > if so, I don't see how that is an issue.
> >
> > -- Michael
> >
> >
> >
> > On 3/29/06, Andrew van der Stock <vanderaj@xxxxxxxxxx> wrote:
> >> This is not quite true.
> >>
> >> Java does not prevent integer overflows (it will not throw an
> >> exception). So you still have to be careful about array indexes.
> >>
> >> Andrew
>
>
>
>
--
Eoin Keary cissp
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- References:
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
- From: Andrew van der Stock
- Re: [Full-disclosure] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code
- [Full-disclosure] Java integer overflows (was: a really long topic)
- From: Andrew van der Stock