C allows conversion between unsigned and signed. The rule is that the underlying bit representation is not changed. Generally, most numbers are signed by default.For example, when declaring a
constant such as 12345 or 0x1A2B, the value is considered signed. Adding character ‘U’ or ‘u’ as a suffix creates an unsigned constant, e.g., 12345U or 0x1A2Bu.
    When printing numeric values with printf, the directives %d, %u, and %x are used to print a number as a signed decimal, an unsigned decimal, and in hexadecimal format, respectively. Note that printf does not make use of any type information, and so it is possible to print a value of type int with directive %u and
a value of type unsigned with directive %d. For example, consider the following code:

int x = -1;
      unsigned u = 2147483648; /* 2 to the 31st */

printf("x = %u = %d\n", x, x);
      printf("u = %u = %d\n", u, u);
When run on a 32-bit machine, it prints the following:
     x = 4294967295 = -1
     u = 2147483648 = -2147483648

buger from:

Suppose, however, that some malicious programmer writes code that calls copy_from_kernel with
a negative value of maxlen. Then the minimum computation on line 16 will compute this value for len,
which will then be passed as the parameter n to memcpy. Note, however, that parameter n is declared as
having data type size_t. This data type is declared (via typedef) in the library file stdio.h. Typically it is defined to be unsigned int on 32-bit machines. Since argument n is unsigned, memcpy will treat it as a very large, positive number and attempt to copy that many bytes from the kernel region to the user’s buffer. Copying that many bytes (at least 231) will not actually work, because the program will encounter invalid addresses in the process, but the program could read regions of the kernel memory for which it is not authorized.

We can see that this problem arises due to the mismatch between data types: in one place the
length parameter is signed; in another place it is unsigned. Such mismatches can be a source of bugs
and, as this example shows, can even lead to security vulnerabilities. Fortunately, there were no reported cases where a programmer had exploited the vulnerability in FreeBSD. They issued a security advisory, “FreeBSD-SA-02:38.signed-error,” advising system administrators on how to apply a patch that would remove the vulnerability. The bug can be fixed by declaring parameter maxlen to copy_from_kernel
to be of type size_t, to be consistent with parameter n of memcpy. We should also declare local variable len and the return value to be of type size_t.

chapter 2: Representing and manipulating information的更多相关文章

  1. 《CSAPP》读书杂记 - Chapter 2. Representing and Manipulating Information

    1. 一段查看地址内容的代码 代码: #include <stdio.h> typedef unsigned char *byte_pointer; void show_bytes(byt ...

  2. Chap 2 Representing and Manipulating Information (CS:APP)

    -------------------------------------------------------------------------------------------------- A ...

  3. MySQL Crash Course #13# Chapter 21. Creating and Manipulating Tables

    之前 manipulate 表里的数据,现在则是 manipulate 表本身. INDEX 创建多列构成的主键 自动增长的规定 查看上一次插入的自增 id 尽量用默认值替代 NULL 外键不可以跨引 ...

  4. 六星经典CSAPP笔记(2)信息的操作和表示

    2.Representing and Manipulating Information 本章从二进制.字长.字节序,一直讲到布尔代数.位运算,最后无符号.有符号整数.浮点数的表示和运算.诚然有些地方的 ...

  5. 【CSAPP笔记】1. 位、字节、整型

    <Computer Systems a Programmer's Perspective>,机械工业出版社.中文译名<深入理解计算机系统>.作者:(美)Randal E.Bry ...

  6. Chapter 6 — Improving ASP.NET Performance

    https://msdn.microsoft.com/en-us/library/ff647787.aspx Retired Content This content is outdated and ...

  7. Professional C# 6 and .NET Core 1.0 - Chapter 42 ASP.NET Web API

    本文内容为转载,重新排版以供学习研究.如有侵权,请联系作者删除. 转载请注明本文出处: -------------------------------------------------------- ...

  8. Modules you should know in Python Libray

    前两天被问到常用的python lib和module有哪些?最常用的那几个,其他的一下子竟然回答不上.想想也是,一般情况下,遇到一个问题,在网上一搜,顺着线索找到可用的例子,然后基本没有怎么深究.结果 ...

  9. Data Types

    原地址: Home / Database / Oracle Database Online Documentation 11g Release 2 (11.2) / Database Administ ...

随机推荐

  1. 在Eclipse里设置格式化代码时不格式化注释

    在Eclipse里设置格式化代码时不格式化注释 今天格式化代码 发现直接format会把注释也一块格式化了,有时候会把好好的注释弄的很乱.甚为头疼. 查阅之后解决办法如下: Windows -> ...

  2. lesson2:java阻塞队列的demo及源码分析

    本文向大家展示了java阻塞队列的使用场景.源码分析及特定场景下的使用方式.java的阻塞队列是jdk1.5之后在并发包中提供的一组队列,主要的使用场景是在需要使用生产者消费者模式时,用户不必再通过多 ...

  3. libsvm java 调用说明

    libsvm是著名的SVM开源组件,目前有JAVA.C/C++,.NET 等多个版本,本人使用的是2.9libsvm命名空间下主要使用类:svm_model 为模型类,通过训练或加载训练好的模型文件获 ...

  4. HDOJ 5093 Battle ships 二分图匹配

    二分图匹配: 分别按行和列把图展开.hungary二分图匹配. ... 例子: 4 4 *ooo o### **#* ooo* 按行展开. .. . *ooo o#oo oo#o ooo# **#o ...

  5. mvc之验证IEnumerable<T> 类型

    假设我们有这么一种需求,我们要同时添加年级和年级下面的多个班级,我们一般会像下面这种做法. Action中我们这样接收: [HttpPost] public ActionResult CreateGr ...

  6. poj 2454 Jersey Politics dfs

    这个题目第一步还是比较明显的,先把最小的n个值去掉,剩下的问题就是能不能把数据分成两半,使得每一半和都大于n*500,这个刚开始考虑了下dp的做法,但是复杂度不满足要求. 那么能想到的就是搜索了,实际 ...

  7. [RxJS] Creation operator: of()

    RxJS is a lot about the so-called "operators". We will learn most of the important operato ...

  8. freemarker常用的基本命令

    freemarker包括下面几个基本命令 if,else,elseif指令switch,case,default,break指令list,break指令include指令import 指令nopars ...

  9. 自定义控件 进度条 ProgressBar-2

    使用 <ScrollView xmlns:android="http://schemas.android.com/apk/res/android"     xmlns:bqt ...

  10. Redis配置不当可导致服务器被控制,已有多个网站受到影响 #通用程序安全预警#

    文章出自:http://news.wooyun.org/6e6c384f2f613661377257644b346c6f75446f4c77413d3d 符合预警中“Redis服务配置不当”条件的服务 ...