LOGBOOK

HELP

Quiz Entry - updated: 2026.07.10

Why is mixing signed and unsigned types in size comparisons dangerous?

When a signed value meets an unsigned one (like size_t), C converts the signed value to unsigned — so a negative length becomes a gigantic positive size and the copy runs wild.

#define KSIZE 1024
char kbuf[KSIZE];

int copy_from_kernel(void *user_dest, int maxlen) {
    int len = maxlen > KSIZE ? KSIZE : maxlen;
    memcpy(user_dest, kbuf, len);
    return len;
}

The vulnerability:

// If attacker passes maxlen = -1:
// -1 > 1024 is FALSE (signed)
int len = -1 > 1024 ? 1024 : -1;
len = -1;

// But memcpy's third parameter is size_t (UNSIGNED)!
// -1 as unsigned = 4,294,967,295!
memcpy(dest, kbuf, -1);
// Copies 4GB of memory → buffer overflow!

The fix:

// Use size_t
int copy_from_kernel(void *user_dest, size_t maxlen) {
    size_t len = maxlen > KSIZE ? KSIZE : maxlen;
    memcpy(user_dest, kbuf, len);
    return len;
}

Or explicit check:

// Reject negative values
if (maxlen < 0) return -1;

Tip: Always use size_t for sizes and array indices. It's unsigned and can't go negative.

Go deeper:

From Quiz: REVE1 / C Programming | Updated: Jul 10, 2026