lesson_06: when 0xffff becomes a real value

when you look at the tool
 you are not looking at an exploit
 you are looking at a design decision

the system stores a value inside a 16 bit field
 that means it can represent values from 0 to 65535

many systems take one normal value and give it a special meaning

examples:
 0 means not found
 -1 means invalid
 0xffff means no data

this is convenient
 because the program does not need a second field like is_valid
 it packs state and data into the same number

that convenience is also the trap


what the program really stores
 the computer does not store meaning
 it stores bit patterns

0xffff is just: 1111111111111111

to the machine, that pattern is not “empty”
 it is not “invalid”
 it is not “special”

it is only a 16 bit value

all meaning is added later by code


why this seems safe for a long time
 most sentinel bugs do not appear immediately

they stay hidden while the system operates far from the edge

if the counter is still small
 if the identifier space is still small
 if no real value ever reaches 65535
 then everything appears correct

the design looks harmless
 tests pass
 the system ships
 nobody notices the flaw

this is why dangerous bugs often survive for years

the most dangerous bugs do not appear when the system fails immediately
 they appear when the system works for too long under the wrong assumption


fixed width means finite space
 a 16 bit field is a box with hard limits

it has exactly 65536 possible values

from:

0x0000
 to
 0xffff

that is the entire space

if one of those values is reserved for a special meaning
 then that value is no longer safely available for real data


the collision moment
 the problem begins when 0xffff becomes both:

a sentinel meaning “empty”
 and
 a legitimate value meaning “this is a real id”

at that moment, one stored value maps to two meanings

the bits are still correct
 the number is still correct
 the storage is still correct

but the interpretation is no longer correct

the system can no longer distinguish exception from reality


the main lesson
 computers do not understand meaning
 they understand representation

if representation and meaning stop aligning
 the system may continue running
 but it no longer knows what its own data means

that is where deep bugs begin