Arithmetic Operations on User-Supplied Integers
Integer overflows come in many flavors. Consider, for example, another case
where the buffer length is received from the attacker and is then somehow mod-
ified. This is quite common, especially if the program needs to store the user-
supplied buffer along with some header or other fixed-sized supplement.
Suppose the program takes the user-supplied length and adds a certain constant
to it—this will typically be a header length of some sort. This can create signifi-
cant risks because an attacker could take advantage of integer overflows to cre-
ate a buffer overflow. Here is an example of code that does this sort of thing:allocate_object:
00401021 push esi
00401022 push edi
00401023 mov edi,[esp+0x10]
00401027 lea esi,[edi+0x18]
0040102a push esi
0040102b call Chapter7!malloc (004010d8)
00401030 pop ecx
00401031 xor ecx,ecx
00401033 cmp eax,ecx
00401035 jnz Chapter7!allocate_object+0x1a (0040103b)
00401037 xor eax,eax
00401039 jmp Chapter7!allocate_object+0x42 (00401063)
0040103b mov [eax+0x4],ecx
0040103e mov [eax+0x8],ecx
00401041 mov [eax+0xc],ecx
00401044 mov [eax+0x10],ecx
00401047 mov [eax+0x14],ecx
0040104a mov ecx,edi
0040104c mov edx,ecx
0040104e mov [eax],esi
00401050 mov esi,[esp+0xc]
00401054 shr ecx,0x2
00401057 lea edi,[eax+0x18]
0040105a rep movsd
0040105c mov ecx,edx
0040105e and ecx,0x3
00401061 rep movsb
00401063 pop edi
00401064 pop esi
00401065 retThe preceding contrived, yet somewhat realistic, function takes a buffer
pointer and a buffer length as parameters and allocates a buffer of the length
passed to it via [esp+0x10]plus 0x18(24 bytes). It then initializes what
appears to be some kind of a buffer in the beginning and copies the user sup-
plied buffer from [esp+0xc]to offset +18 in the newly allocated block (that’s258 Chapter 7