right,
but we're talking about unmanaged vs managed, and the earlier poster
(i think it might've been "pavel" [sorry if it wasn't]), said that
100% java is still vulnerable to buffer overflows. the fact is that it
isn't.
-- Michael
On 3/29/06, Andrew van der Stock <vanderaj@greebo.net> wrote:
I'm not talking arbitrary code execution, I'm talking about odd code
paths, bizarre outcomes, and DoS.
For example (found via 19 Sins, Viega, Howard and LeBlanc):
http://seclists.org/lists/bugtraq/2004/Nov/0097.html
I know Michael reads webappsec, he may have more examples.
In my own code testing, I look for silly behaviors if a user can
insert a large or negative number. You'd be surprised how often it
occurs. There is no excuse not to include basic range checks when
performing data validation.
thanks,
Andrew
On 29/03/2006, at 2:30 PM, michaelslists@gmail.com wrote:
No you dont.
Arrays are all bounds checked; ..., that is, the following code will
throw an exception:
================================
class Foo {
static {
int[] m = new int[2];
System.out.println(m[34]);
}
}
================================
What do you mean by "overflow"? Do you mean this?
================================
class Foo {
static {
int m = Integer.MAX_VALUE;
int k = Integer.MAX_VALUE + Integer.MAX_VALUE;
System.out.println(m);
System.out.println(k);
System.exit(0);
}
}
================================
if so, I don't see how that is an issue.
-- Michael
On 3/29/06, Andrew van der Stock <vanderaj@greebo.net> wrote:
This is not quite true.
Java does not prevent integer overflows (it will not throw an
exception). So you still have to be careful about array indexes.
Andrew
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
