<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<blockquote type="cite">
<pre wrap="">Date: Thu, 15 Sep 2016 18:48:14 -0400
From: Jerry Leichter <a class="moz-txt-link-rfc2396E" href="mailto:leichter@lrw.com"><leichter@lrw.com></a>
<a class="moz-txt-link-freetext" href="http://arstechnica.com/security/2016/09/signal-fixes-bug-that-let-attackers-tamper-with-encrypted-messages/">http://arstechnica.com/security/2016/09/signal-fixes-bug-that-let-attackers-tamper-with-encrypted-messages/</a> (which has links to the actual release) describes a few recently-reported bugs in the Android version of Signal. They actually include the vulnerable line of code:
int remainingData = (int) file.length() - mac.getMacLength();
</pre>
</blockquote>
<br>
This has nothing to do with programming in general or the C language
but a bad development practice.<br>
<br>
Everywhere in pretty much most of libc the APIs use "size_t" to
represent length. Using "int" to represent length is a throwback to
K&R C. This just shows that the developer has not updated his or
her understanding of the current state of the C language and its
idioms. It is more likely that the developer was getting warnings
from the compiler and used the "(int)" to get rid of the warnings.<br>
<br>
Instead the developer should have done this:<br>
<br>
ssize_t remainingData = file.length() - mac.getMacLength();<br>
<br>
This way on a 64-bit machine ssize_t would be signed 64-bits and the
overflow would not occur.<br>
<br>
--Vikas<br>
<br>
<br>
<br>
<br>
<br>
<br>
<p><br>
</p>
</body>
</html>