Truncation

From Guidance Share

Jump to: navigation, search

Contents

Description

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.

Applies To

  • Languages: C, C++, Assembly
  • Operating platforms: All

Example

This example, while not exploitable, shows the possible mangling of values associated with truncation errors:

#include <stdio.h>
int main() { 
int intPrimitive; 
short shortPrimitive; 
intPrimitive = (int)(~((int)0) ^ (1 << (sizeof(int)*8-1))); 
shortPrimitive = intPrimitive; 
printf("Int MAXINT: %d\nShort MAXINT: %d\n", 
intPrimitive, shortPrimitive); 
return (0);
}

The above code, when compiled and run, returns the following output: Int MAXINT: 2147483647 Short MAXINT: -1

A frequent paradigm for such a problem being exploitable is when the truncated value is used as an array index, which can happen implicitly when 64-bit values are used as indexes, as they are truncated to 32 bits.

Impact

  • Integrity: The true value of the data is lost and corrupted data is used.

Vulnerabilities

  • Type casting data without taking out-of-range conditions into account.

Countermeasures

  • Implementation: Ensure that no casts, implicit or explicit, take place that move from a larger size primitive or a smaller size primitive.

Vulnerability Patterns

How Tos

Personal tools