Quiz Entry - updated: 2026.07.10
Why is mixing signed and unsigned types in size comparisons dangerous?
When a signed value meets an unsigned one (like size_t), C converts the signed value to unsigned — so a negative length becomes a gigantic positive size and the copy runs wild.
#define KSIZE 1024
char kbuf[KSIZE];
int copy_from_kernel(void *user_dest, int maxlen) {
int len = maxlen > KSIZE ? KSIZE : maxlen;
memcpy(user_dest, kbuf, len);
return len;
}
The vulnerability:
// If attacker passes maxlen = -1:
// -1 > 1024 is FALSE (signed)
int len = -1 > 1024 ? 1024 : -1;
len = -1;
// But memcpy's third parameter is size_t (UNSIGNED)!
// -1 as unsigned = 4,294,967,295!
memcpy(dest, kbuf, -1);
// Copies 4GB of memory → buffer overflow!
The fix:
// Use size_t
int copy_from_kernel(void *user_dest, size_t maxlen) {
size_t len = maxlen > KSIZE ? KSIZE : maxlen;
memcpy(user_dest, kbuf, len);
return len;
}
Or explicit check:
// Reject negative values
if (maxlen < 0) return -1;
Tip: Always use size_t for sizes and array indices. It's unsigned and can't go negative.
Go deeper:
Integer overflow — Wikipedia — unsigned wraparound and the security bugs it causes.