zoukankan      html  css  js  c++  java
  • chapter 2: Representing and manipulating information

        

        C allows conversion between unsigned and signed. The rule is that the underlying bit representation is not changed. Generally, most numbers are signed by default.For example, when declaring a
    constant such as 12345 or 0x1A2B, the value is considered signed. Adding character ‘U’ or ‘u’ as a suffix creates an unsigned constant, e.g., 12345U or 0x1A2Bu.
        When printing numeric values with printf, the directives %d, %u, and %x are used to print a number as a signed decimal, an unsigned decimal, and in hexadecimal format, respectively. Note that printf does not make use of any type information, and so it is possible to print a value of type int with directive %u and
    a value of type unsigned with directive %d. For example, consider the following code:

          int x = -1;
          unsigned u = 2147483648; /* 2 to the 31st */


          printf("x = %u = %d ", x, x);
          printf("u = %u = %d ", u, u);
    When run on a 32-bit machine, it prints the following:
         x = 4294967295 = -1
         u = 2147483648 = -2147483648


    buger from:


          Suppose, however, that some malicious programmer writes code that calls copy_from_kernel with
    a negative value of maxlen. Then the minimum computation on line 16 will compute this value for len,
    which will then be passed as the parameter n to memcpy. Note, however, that parameter n is declared as
    having data type size_t. This data type is declared (via typedef) in the library file stdio.h. Typically it is defined to be unsigned int on 32-bit machines. Since argument n is unsigned, memcpy will treat it as a very large, positive number and attempt to copy that many bytes from the kernel region to the user’s buffer. Copying that many bytes (at least 231) will not actually work, because the program will encounter invalid addresses in the process, but the program could read regions of the kernel memory for which it is not authorized.

         We can see that this problem arises due to the mismatch between data types: in one place the
    length parameter is signed; in another place it is unsigned. Such mismatches can be a source of bugs
    and, as this example shows, can even lead to security vulnerabilities. Fortunately, there were no reported cases where a programmer had exploited the vulnerability in FreeBSD. They issued a security advisory, “FreeBSD-SA-02:38.signed-error,” advising system administrators on how to apply a patch that would remove the vulnerability. The bug can be fixed by declaring parameter maxlen to copy_from_kernel
    to be of type size_t, to be consistent with parameter n of memcpy. We should also declare local variable len and the return value to be of type size_t.


  • 相关阅读:
    使用sstream来进行类型转换
    C++中的istringstream
    C++中如何按照map中的value来进行排序
    019:别叫,这个大整数已经很简化了!
    ccf题库20170903--Json查询
    ccf题库中2015年12月2号消除类游戏
    ccf题库中2016年4月2日俄罗斯方块问题
    C++基础算法学习——逆波兰表达式问题
    C++基础算法学习——N皇后问题
    C++基础算法学习——汉洛塔问题
  • 原文地址:https://www.cnblogs.com/keanuyaoo/p/3343494.html
Copyright © 2011-2022 走看看