Saturday, April 5, 2008

gcc silently discards some wraparound checks...buf+len < buf?

David LeBlanc's Web Log
Vulnerability Note VU#162289

Basically, what it says is that code which looks like this:

char *buf;
int len;

gcc will assume that buf+len >= buf.

As a result, code that performs length checks similar to the following:

len = 1<<30;
if(buf+len < buf) /* length check */
[...perform some manipulation on len...]

are compiled away by these versions of gcc

No comments: