<a href="https://colab.research.google.com/github/reneholt/secure-coding/blob/main/Integer_overflow.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

In [3]:
%%writefile IntegerOverflow.c

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int MAX_BUFFER_LENGTH = 11;     // [1]

char* initializeBuffer () {
    char* buffer = (char*) malloc(MAX_BUFFER_LENGTH * sizeof(char));

    if (buffer == NULL) {
        printf("Could not allocate memory on the heap\n");
    }

    return buffer;
}

int main(void) {
    signed int buffer_length;
    char* source_buffer = "0123456789";               // Arbitrary test data
    char* destination_buffer = NULL;

    buffer_length = -1;                              // Hypothetical attacker-controlled variable
    printf("buffer_length as a signed int is %d and implicitly cast to an unsigned int is %u\n",
           buffer_length, buffer_length);
  
    if (buffer_length > MAX_BUFFER_LENGTH) {         // [2] Faulty size check  
        printf("Integer overflow detected\n");
    }
    else {
        destination_buffer = initializeBuffer();
	
	      strncpy(destination_buffer, source_buffer, buffer_length);    // [3] Potential buffer overflow due to integer overflow        
	      destination_buffer[buffer_length] = '\0';

        printf("Destination buffer contents: %s\n", destination_buffer);
    }

    return 0;
}


Overwriting IntegerOverflow.c


In [4]:
%%shell
gcc IntegerOverflow.c -o IntegerOverflow
./IntegerOverflow

buffer_length as a signed int is -1 and implicitly cast to an unsigned int is 4294967295


CalledProcessError: ignored

Now let's fix the size check so we can detect the integer overflow.

if (buffer_length < 0 || buffer_length > MAX_BUFFER_LENGTH) {         // [2] Corrected size check 

In [5]:
%%writefile IntegerOverflow.c

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int MAX_BUFFER_LENGTH = 11;     // [1]

char* initializeBuffer () {
    char* buffer = (char*) malloc(MAX_BUFFER_LENGTH * sizeof(char));

    if (buffer == NULL) {
        printf("Could not allocate memory on the heap\n");
    }

    return buffer;
}

int main(void) {
    signed int buffer_length;
    char* source_buffer = "0123456789";                                    // Arbitrary test data
    char* destination_buffer = NULL;

    buffer_length = -1;                                                   // Hypothetical attacker-controlled variable
    printf("buffer_length as a signed int is %d and implicitly cast to an unsigned int is %u\n",
           buffer_length, buffer_length);
  
    if (buffer_length < 0 || buffer_length > MAX_BUFFER_LENGTH) {         // [2] Corrected size check  
        printf("Integer overflow detected\n");
    }
    else {
        destination_buffer = initializeBuffer(); 
	
      	strncpy(destination_buffer, source_buffer, buffer_length);        
      	destination_buffer[buffer_length] = '\0';

        printf("Destination buffer contents: %s\n", destination_buffer);
    }

    return 0;
}


Overwriting IntegerOverflow.c


In [6]:
%%shell
gcc IntegerOverflow.c -o IntegerOverflow
./IntegerOverflow

buffer_length as a signed int is -1 and implicitly cast to an unsigned int is 4294967295
Integer overflow detected


