#include
/*
A simple program to demonstrate integer overflow vulnerability
*/
int main()
{
int a;
printf("Please give an integer for multiplication sample: ");
scanf("%d", &a);
printf("result of multiplication a is %d", (a * a));
return 0;
}
/*
A simple program to demonstrate integer overflow vulnerability
*/
int main()
{
int a;
printf("Please give an integer for multiplication sample: ");
scanf("%d", &a);
printf("result of multiplication a is %d", (a * a));
return 0;
}
--------------------------------------------------------------------
By right, it should be fine and any compiler won't trigger a warning event with -ggdb option. Even most static analysis won't mark this as overflow or possible to trigger overflow. There are few static analysis tool will trigger a warning of possible overflow. BUT do developers know what is wrong with the code? DO developers KNOWS where he/she should fix that? Of course only experienced developers knows but how many of them? I've seen an encryption software (open source) that has this kind of vulnerability. It is just get lucky as the number of users is small.
0 comments:
Post a Comment