nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Error checks? Eh? What could go wrong, really? (DoSing a US govt site)

More awful code you've seen in action ... or should that be inaction

By Chris Williams, 23 Mar 2016

Line Break It's time for your dose of Line Break, our Wednesday column of coding nightmares that have haunted Register readers at one time or another.

This also means we're already halfway to Friday. Judging by some of these following tales, we can only assume one too many developers out there are already half cut by this point in the week. That can be the only explanation.

Running array with the fairies

Martin is off the starting line first, writing in with this story of software trying to be clever and instead imploding spectacularly:

I still have fond memories of the server crash it took me 40 hours to figure out in 100,000+ lines of multi-threaded C++ code a dozen years ago. As the system was for our largest client, the pressure was on.

When I found the offending line of code: it used an array index of -1 passed to a dynamic array class originally written in the early 1990s, well before the STL (Standard Template Library) took care of such matters. The author of the class had decided that allocate-on-demand would be a nice feature. If an array has three elements, 0, 1, and 2, then allocating-on-demand the 4th element with index 3 when it is referenced might be useful.

In this particular case – a dynamic array of double-precision floating-point numbers with perhaps a dozen valid elements – the -1 array index was silently coerced into a 32-bit unsigned index of more than four billion. The allocate-on-demand logic then attempted to resize the array to a size of more than 32 billion bytes, or more than four billion elements, taking down both that thread and the entire server process.

After fixing the logic so the -1 index was never used in the application code, I submitted the request to fix our base class libraries. That request may still have been pending more than four years later when I retired in frustration.

When the -1 was used as an unsigned array index, it was interpreted as 232-1 or 4,294,967,295, causing the server to try to allocate RAM to hold 4,294,967,295 eight-byte values. Crashville, population: you. Moral: Don't use -1 for anything other than -1, certainly not for array indexes unless you really know what you're doing.

img omg

Steve writes in with this little snippet:

Came across this JavaScript gem today. Not a coding horror, per se, but I'd like to know what the dev who implemented it was thinking of at the time.
if ($("#img").attr("src") == null) {
    $("#img").attr("src", $("#img").attr("src"));
}

Answers on a postcard or a comment, please.

Ask a stupid question, get a stupid answer

Another fast one, this one from Lassi, who told us:

My mostly harmless favorite from the 1990s: a user prompt from global logistics system developed internally and rolled out to 30-plus countries.

Are you sure you want to cancel the shipment?

Yes / No / Cancel

Tough question.

Maybe we should spin off Line Break with a GUI terror column, call it: user in-yer-face?

Error checking is for chumps

Next, Jay writes in with this yarn:

About ten years ago, we had a requirement to build a web application that logged in to a US government website and did some automated screen scraping and forms processing, with approval from the site.

At the time we had a new-ish Java guy on staff who claimed he could build the system. He built the app over four months and for a while it seemed to work OK. Then he quit.

A couple of weeks after he left, I got a call from the website's management saying that they were seeing hundreds of logins per minute from our IP address and it was actually taking the site offline.

Turns out that Java guy had not written in any error handling, except to drop the request and try to login again if something went wrong. Since the website had made a few small changes, the screen scraping was failing, the Java code didn’t get the response it was looking for, and boom – we were DoSing a US government website.

They were rather nice about the whole thing, but told us to “avoid excessive logins.” They also rate-limited logins from specific IPs to prevent this type of thing in the future – so, yay, we helped harden the site?

Since I wasn’t a Java guy, I ended up rewriting the entire application in Coldfusion in 6 days – with error handling and login checks. Yay for RAD. Not a complaint since.

Moral: Always check for errors. There's no shame in engineering for failure.

Race conditions

Finally, an out-of-channel entry for Line Break: Google security researcher Ian Beer, of Project Zero, found a cool bug in Apple's OS X and iOS that we'd like to share here.

When a child process runs a setuid root-owned binary, there's a window of time in which the parent can overwrite the child's loaded executable with malicious code that is then run with root-level privileges. Sneaky! This was fixed in the latest round of OS X and iOS security updates.

Keep your samples and tales of terrible code seen in the wild coming in, please, and we hope to feature it here for everyone to enjoy, I mean, learn from. ®

Click here to see all Line Break columns

The Register - Independent news and views for the tech community. Part of Situation Publishing