Date: Tue, 06 May 2014 01:51:20 +0400 From: Andrey Chernov <ache@freebsd.org> To: David Chisnall <theraven@FreeBSD.org>, Warner Losh <imp@bsdimp.com> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, Pedro Giffuni <pfg@FreeBSD.org>, src-committers <src-committers@freebsd.org> Subject: Re: svn commit: r265367 - head/lib/libc/regex Message-ID: <536807D8.9000005@freebsd.org> In-Reply-To: <A4B5E0E8-93CB-4E80-9065-5D25A007B726@FreeBSD.org> References: <201405051641.s45GfFje086423@svn.freebsd.org> <5367CD77.40909@freebsd.org> <B11B5B25-8E05-4225-93D5-3A607332F19A@FreeBSD.org> <5367EB54.1080109@FreeBSD.org> <3C7CFFB7-5C84-4AC1-9A81-C718D184E87B@FreeBSD.org> <7D7A417E-17C3-4001-8E79-0B57636A70E1@gmail.com> <A4B5E0E8-93CB-4E80-9065-5D25A007B726@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06.05.2014 1:43, David Chisnall wrote: > While reallocf() is nice, it doesn't address the problem of overflow. It takes a single size, forcing the caller to do the number-of-elements * element-size multiplication, which is the problematic one. If an attacker can control the number of elements, then it's possible to make the multiplication overflow so reallocf() will return a valid pointer to an area of memory that is much smaller than the caller was expecting. For standard malloc/realloc interface it is up to the caller to check n*size not overflows. You must trust caller already does such check. Using calloc() to enforce it instead of caller is semantically wrong, and especially strange when the caller is standard C library under your control. -- http://ache.vniz.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?536807D8.9000005>