Using integers

Recommendations

There are a set of core rules that can help mitigate issues when dealing with integers:

• Don't use signed integers, shorts, or chars when storing sizes that are supplied by network data.
• Don't use signed integers, shorts, or chars for any variables that represent natural or countable items. Use signed variables only if a negative value makes sense in that context.
• When performing arithmetic in conditional statements, ensure that the arithmetic is always balanced.
• When casting, consider sign extension and zero extension in addition to truncation.
• Where possible, avoid mixing types in expressions. Try to use consistent types or cast to consistent types, keeping the above guidelines in mind.
• Remember that memory and copy functions in C/C++ treat all integers as unsigned.

Integer overflows and underflows

Integers can overflow and underflow. Consider the following function that results in an integer overflow:

#include <stdio.h>

int main(int argc, char * argv[]) {
     int intFoo=0;

     fprintf(stdout,"[i] %d %u\n",intFoo,intFoo);
     intFoo -= 1;
     fprintf(stdout,"[i] %d %u\n",intFoo,intFoo);

     return 0;
}

Calling this function results in the following:

[i] 0 0
[i] -1 4294967295

Since unsigned integers range from 0 to 232 - 1, subtracting 1 from 0 causes the value to wrap around and result in a potentially undesired value.

For applications that are written in a non-memory safe language like C and C++, these overflow issues can lead to memory corruption and catastrophic security compromises. If you do not catch exceptions and deal with them appropriately, integer underflow or overflow can result in a DoS and might lead to unexpected application behavior. In the case of security-relevant components, these issues can then allow other types of security breaches. For example, inducing an integer overflow can circumvent the functionality of an access control system.