Security vulnerability in the XDR library due to overflow

Code demonstrating the vulnerability

void* copy_elements(void *ele_src[], int ele_cnt, size_t ele_size) {
	/*
	* Allocate buffer for ele_cnt objects, each of ele_size bytes
	* and copy from locations designated by ele_src
	*/
	void *result = malloc(ele_cnt * ele_size);
	if (result == NULL)
	/* malloc failed */
		return NULL;
	void *next = result;
	int i;
	for (i O; i < ele_cnt; i++) {
		/* Copy object to destination */
		memcpy (next, ele_src[i], ele_size);
		/* Move pointer to next memory region */
		next += ele_size;
	}
	return result;
}

Explanation of the bug

• The function copy_elements is designed to copy ele_cnt data structures (each of ele_size bytes) into a buffer allocated by the function malloc(ele_cnt * ele_size)

Exploiting the bug

• Imaging that ele_cnt is set as $1048577$ $(2^{20}+1)$ and ele_size as $4096$ $(2^{12})$.
• The program is compiled for a 32-bit system
• Then, the multiplication ele_cnt * ele_size will overflow, causing only 4096 bytes to be allocated (instead of 4,294,971,392 bytes)
• The loop starting which copies each element will attempt to copy all of those bytes, overrunning the end of the allocated buffer (4096 bytes). This corrupts other data structures

Sources

• Computer Systems - A Programmer’s Perspective

Related Notes

• Multiplying unsigned integers
• Multiplying signed integers