Does Java have buffer overflows?

Question

Does Java have buffer overflows? If yes can you give me scenarios?

Answer 1

Managed languages such as Java and C# do not have these problems, but the specific virtual machines (JVM/CLR/etc) which actually run the code may.

Answer 2

For all intents and purposes, no.

Java has array bounds checking which will check that data cannot be accessed from area outside of the allocated array. When one tries to access area that is beyond the size of the array, an ArrayOutOfBounds exception will be thrown.

If there is a buffer-overrun, it is probably from a bug in the Java Virtual Machine, and is, to my knowledge, not the intended behavior that is written in the Java Language Specifications nor the Java Virtual Machine Specifications.

Answer 3

Yes and no. No, in that you cannot really create mistakenly open yourself up to a buffer overflow vulnerability because it is a managed memory model. However, there can be buffer overflow vulnerabilities in the JVM and JDK. See this Secunia advisory:

http://secunia.com/advisories/25295

Answer 4

A buffer overflow in the strict sense of overwriting the stack or heap itself would require either:

1. A bug in the framework (these have existed in the past and may well again)
2. The use of JNI (essentially no longer using managed code)

A buffer overflow in the sense that you have code using a buffer and your code is responsible for parsing it correctly but fail to do so is possible. For example You might write an XML parser and someone could provide you with a malformed (or legitimate but uncommon) request which, owing to the design of your parser overwrites previously validated data with some payload that would cause your application to behave badly.

This latter form is less likely but a poorly written sql string cleansing function widely distributed that had a problem such as this would be an inviting target.

Answer 5

As has already been pointed out, Java has, as a language, bounds checking on all memory access, and if there's an error here, the JVM is at fault and not the program. However, what should be noted, which is a similar argument to memory leaks in Java; while not possible to smash the stack, an ArrayOutOfBoundsException in the wrong place, which is not handled correctly, may still end up screwing up your system.

Answer 6

Java (and .Net) virtual machines catch code that tries to write outside of reserved memory. Applications that don't handle this correctly can still cause security problems. If malicious users can trigger exceptions by entering invalid input they can do denial of service attacks for example.

Answer 7

Since Java Strings are based on char arrays and Java automatically checks array bounds, buffer overflows are only possible in unusual scenarios:

1. If you call native code via JNI
2. In the JVM itself (usually written in C++)
3. When the byte code does not properly check array bounds and the JVM executes it without verifying it (possible in embedded systems which often don't do bytecode verification due to memory constraints)

Answer 8

You could conceivably cause a buffer overflow in a Java program if you were using the Java Native Interace (JNI) facility to invoke external code, and the external code had an exploitable issue. This is fairly uncommon, as most applications avoid using JNI where possible.

Answer 9

It is possible for a method to write into valid entries of an array that it did not intend to, typically through integer overflow.

For instance the following is not sufficient to check bounds:

/* !! WRONG !! */ 0 <= off && 0 <= len && off+len <= buff.length /* !! WRONG !! */

IIRC, StringBuffer once had a bug like that, but there wasn't anything interesting you could do with it.