Functions taking size_t and returning ssize_t

An interesting genre of bug occurs in C, when the return value and the success status of the function uses the same variable.

 Consider the read function.

 ssize_t read(int fd, void *buf, size_t count);

size_t is normally unsigned int, and ssize_t int.

 How big can count be?  The return value of read returns the number of bytes it read.  It should be equal to count when it succeeds (except in the case of a non blocking read).  But what if count is greater than INT_MAX?

 I’ve seen it to be the case that various functions in libc return (ssize_t)count, even when count is greater than INT_MAX.   This is the case with the 32bit lseek calls in Linux.

I am sure there are vulnerabilities present due to this behaviour.  Its only a question of where are they.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s