From owner-svn-src-all@FreeBSD.ORG  Mon May  5 21:44:04 2014
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6BA81535;
 Mon,  5 May 2014 21:44:04 +0000 (UTC)
Received: from theravensnest.org (theraven.freebsd.your.org [216.14.102.27])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "cloud.theravensnest.org",
 Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 330809E1;
 Mon,  5 May 2014 21:44:03 +0000 (UTC)
Received: from [192.168.0.7] (cpc14-cmbg15-2-0-cust307.5-4.cable.virginm.net
 [82.26.1.52]) (authenticated bits=0)
 by theravensnest.org (8.14.7/8.14.7) with ESMTP id s45LhvD7035233
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO);
 Mon, 5 May 2014 21:44:00 GMT (envelope-from theraven@FreeBSD.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: Re: svn commit: r265367 - head/lib/libc/regex
From: David Chisnall <theraven@FreeBSD.org>
In-Reply-To: <7D7A417E-17C3-4001-8E79-0B57636A70E1@gmail.com>
Date: Mon, 5 May 2014 22:43:52 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <A4B5E0E8-93CB-4E80-9065-5D25A007B726@FreeBSD.org>
References: <201405051641.s45GfFje086423@svn.freebsd.org>
 <5367CD77.40909@freebsd.org>
 <B11B5B25-8E05-4225-93D5-3A607332F19A@FreeBSD.org>
 <5367EB54.1080109@FreeBSD.org>
 <3C7CFFB7-5C84-4AC1-9A81-C718D184E87B@FreeBSD.org>
 <7D7A417E-17C3-4001-8E79-0B57636A70E1@gmail.com>
To: Warner Losh <imp@bsdimp.com>
X-Mailer: Apple Mail (2.1874)
Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org,
 Pedro Giffuni <pfg@FreeBSD.org>, Andrey Chernov <ache@freebsd.org>,
 src-committers <src-committers@freebsd.org>
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 21:44:04 -0000

On 5 May 2014, at 22:33, Warner Losh <imp@bsdimp.com> wrote:

> reallocf():
>     The reallocf() function is identical to the realloc() function, =
except
>     that it will free the passed pointer when the requested memory =
cannot be
>     allocated.  This is a FreeBSD specific API designed to ease the =
problems
>     with traditional coding styles for realloc() causing memory leaks =
in
>     libraries.
> ...
>     The reallocf() function first appeared in FreeBSD 3.0.

While reallocf() is nice, it doesn't address the problem of overflow.  =
It takes a single size, forcing the caller to do the number-of-elements =
* element-size multiplication, which is the problematic one.  If an =
attacker can control the number of elements, then it's possible to make =
the multiplication overflow so reallocf() will return a valid pointer to =
an area of memory that is much smaller than the caller was expecting. =20=


David