Code Auditing Experience– Conversion APIs expects the data in some specific format.


Recently i analysed a native app and i found some interesting cases. I want to remember this myself. So blogging this.


I was analysing a module that processes syslog kind of messages. It reads packet from the network and try to convert the “date” data. It used localtime() to do the conversion. Usually as a developer i used to think that localtime() can never fail. Unfortunately localtime() has some input(eg, 0xFFFFFFFF) for which it can fail and return NULL. It leads to a NULL pointer dereference and it then lead to a critical issue.


Another example uses strtol().

strtol() in windows expects string in different formats. If you pass the user-controlled string to strtol() and didn’t check the return value then its going to raise more issues.  We usually don’t worry about strtol() function call’s return value. In my auditing experience once it leads to heap overflow.

strtol() expects nptr to point to a string of the following form:

[ whitespace] [{ + | –}] [ 0 [{ x | X }]] [ digits]

I learnt one thing today, all conversion APIs expects the data in some specific format. We SHOULD check the return value of most of the function. I have added strtol() and localtime() into my “Candidate Analysis” phase of manual code auditing.

This entry was posted in Code review experiance and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s