News:

Who uses forums anymore?

Main Menu

[VB6] Simple Checksumming Method

Started by Joe, June 27, 2005, 12:17:07 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2 All
User actions

iago

#15
June 30, 2005, 05:12:38 PM
Quote from: Tuberload on June 30, 2005, 12:17:18 PM
Quote from: iago on June 29, 2005, 08:24:37 PM
Quote from: Warrior on June 29, 2005, 08:04:33 PM
It seems worthy enough of an error, nonetheless. I mean if you overflow you can overwrite memory, no?

No.  I'll follow up in a bit, I'm busy right now

Aren't overflows a big bug in software used to run arbitrary code and such?

All right, sorry about that.

Anyways, there are different types of overflows.  In the sense we're talking about, it is an integer overflow.  That is when you add one to the maximum number and end up with 0.  The only type of vulnerability that that can lead to is a heap overflow, which is how Microsoft's JPEG decoder vulnerability came about.  More on that later.

The type of overflow that you're thinking of is an array overflow.  That is, when the programmer declares an array on the stack and then tries to add data to it that goes past the end of the array, it overwrites other data on the stack.  And if you control a program's stack, it's game over.

Now, back to the integer overflow.  This is something that people are never really taught, but that is very, very important.  Here is some innocent looking C code:
Code Select
int size = data[0]; // The first byte is the size, not including headers
unsigned char *buffer = malloc(size + 10); // allocate 10 extra bytes, to include the header
memcpy(buffer, data, 10); // copy the header
memcpy(buffer + 10, data + 10, size); // copy the rest of the data


That looks innocent enough.  But what if the user sends a size of 0xFFFFFFF6?  it will allocate size+10, or 0x00000000 bytes (due to the overflow).  Then it will go ahead and copy the data into the buffer.  Well, we only allocated 0 bytes, so we're overwriteing other data on the heap now.  This is a head overflow, and doesn't always lead to full control of the process but often it's game over.

Warrior

#16
June 30, 2005, 09:51:13 PM
...and what happens to the location in memory if you overflowed the variable...

I'd think the CPU would generate an exception before the memory was written to, no?
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

MyndFyre

#17
July 01, 2005, 12:18:59 AM
Quote from: Warrior on June 30, 2005, 09:51:13 PM
I'd think the CPU would generate an exception before the memory was written to, no?
Only if you tried to overwrite from a page of unprotected memory to a page of protected memory, AFAIK.
Quote from: Joe on January 23, 2011, 11:47:54 PM
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Quote from: Rule on May 26, 2009, 02:02:12 PMOur species really annoys me.

iago

#18
July 01, 2005, 12:27:41 AM
Quote from: MyndFyrex86] link=topic=1759.msg16362#msg16362 date=1120191539]
Quote from: Warrior on June 30, 2005, 09:51:13 PM
I'd think the CPU would generate an exception before the memory was written to, no?
Only if you tried to overwrite from a page of unprotected memory to a page of protected memory, AFAIK.

Yeah, you only get an exception if you overwrite memory that you aren't allowed to. 
Print
Go Up Pages 1 2 All
User actions