chapter 2: Representing and manipulating information
C allows conversion between unsigned and signed. The rule is that the underlying bit representation is not changed. Generally, most numbers are signed by default.For example, when declaring a
constant such as 12345 or 0x1A2B, the value is considered signed. Adding character ‘U’ or ‘u’ as a suffix creates an unsigned constant, e.g., 12345U or 0x1A2Bu.
When printing numeric values with printf, the directives %d, %u, and %x are used to print a number as a signed decimal, an unsigned decimal, and in hexadecimal format, respectively. Note that printf does not make use of any type information, and so it is possible to print a value of type int with directive %u and
a value of type unsigned with directive %d. For example, consider the following code:
int x = -1;
unsigned u = 2147483648; /* 2 to the 31st */
printf("x = %u = %d\n", x, x);
printf("u = %u = %d\n", u, u);
When run on a 32-bit machine, it prints the following:
x = 4294967295 = -1
u = 2147483648 = -2147483648
buger from:
Suppose, however, that some malicious programmer writes code that calls copy_from_kernel with
a negative value of maxlen. Then the minimum computation on line 16 will compute this value for len,
which will then be passed as the parameter n to memcpy. Note, however, that parameter n is declared as
having data type size_t. This data type is declared (via typedef) in the library file stdio.h. Typically it is defined to be unsigned int on 32-bit machines. Since argument n is unsigned, memcpy will treat it as a very large, positive number and attempt to copy that many bytes from the kernel region to the user’s buffer. Copying that many bytes (at least 231) will not actually work, because the program will encounter invalid addresses in the process, but the program could read regions of the kernel memory for which it is not authorized.
We can see that this problem arises due to the mismatch between data types: in one place the
length parameter is signed; in another place it is unsigned. Such mismatches can be a source of bugs
and, as this example shows, can even lead to security vulnerabilities. Fortunately, there were no reported cases where a programmer had exploited the vulnerability in FreeBSD. They issued a security advisory, “FreeBSD-SA-02:38.signed-error,” advising system administrators on how to apply a patch that would remove the vulnerability. The bug can be fixed by declaring parameter maxlen to copy_from_kernel
to be of type size_t, to be consistent with parameter n of memcpy. We should also declare local variable len and the return value to be of type size_t.
最新文章
- 重构第27天 去除上帝类(Remove God Classes)
- [Java] 匿名内部类
- 后缀自动机/回文自动机/AC自动机/序列自动机----各种自动机(自冻鸡) 题目泛做
- PHP中简单的图形处理
- jQuery-瀑布流 布局 (处理页面滚动和AJAX加载延迟问题)
- FPGA知识大梳理(四)FPGA中的复位系统大汇总
- 万方数据知识平台 TFHpple +Xpath解析
- T-SQL基础(7) - 透视,逆透视和分组集
- MongoDB系列五(地理空间索引与查询).
- 前端-JavaScript1-7——JavaScript之数学运算符
- linux vi如何保存编辑的文件
- ES搜索引擎基本操作
- 【Alpha阶段】展示博客发布!
- Java: 在dos窗口输入密码,不要把密码直接显示出来,原来可以这么简单
- 带分数|2013年蓝桥杯B组题解析第九题-fishers
- Codeforces 1073 E - Segment Sum
- Rx = Observables(响应) + LINQ(声明式语言) + Schedulers(异步)
- 代码阅读——十个C开源项目
- Mysql--通俗易懂的左连接、右连接、内连接
- Hadoop 新 MapReduce 框架 Yarn 详解【转】