Date: Tue, 06 May 2014 02:52:26 +0400 From: Andrey Chernov <ache@freebsd.org> To: David Chisnall <theraven@FreeBSD.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, Pedro Giffuni <pfg@FreeBSD.org>, src-committers <src-committers@freebsd.org>, Warner Losh <imp@bsdimp.com> Subject: Re: svn commit: r265367 - head/lib/libc/regex Message-ID: <5368162A.9000002@freebsd.org> In-Reply-To: <9349EAA9-F92C-4170-A1C0-2200FD490E5F@FreeBSD.org> References: <201405051641.s45GfFje086423@svn.freebsd.org> <5367CD77.40909@freebsd.org> <B11B5B25-8E05-4225-93D5-3A607332F19A@FreeBSD.org> <5367EB54.1080109@FreeBSD.org> <3C7CFFB7-5C84-4AC1-9A81-C718D184E87B@FreeBSD.org> <7D7A417E-17C3-4001-8E79-0B57636A70E1@gmail.com> <A4B5E0E8-93CB-4E80-9065-5D25A007B726@FreeBSD.org> <536807D8.9000005@freebsd.org> <9349EAA9-F92C-4170-A1C0-2200FD490E5F@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06.05.2014 2:12, David Chisnall wrote: > On 5 May 2014, at 22:51, Andrey Chernov <ache@freebsd.org> wrote: > >> For standard malloc/realloc interface it is up to the caller to check >> n*size not overflows. You must trust caller already does such check. > > Do a search of the CVE database sometime to see how well placed that trust generally is. Or even look at the code in question, where none of the realloc() or malloc() calls does overflow checking. I know current situation and disagree with OpenBSD way to fix it. Public interface assumes that caller should be trusted. Period. How well it is really trusted is up to the caller and should be fixed in it clearly, allowing human to trace the logic. >> Using calloc() to enforce it instead of caller is semantically wrong, > > Relying on a standard function to behave according to the standard is semantically wrong? Yes. Generally it is using a function outside of its purpose. I.e. you can use calloc() just to check n*size and nothing else (free() result immediately afterwards) instead of writing just single check by yourself. It will be legal usage but semantically wrong and misleading. >> and especially strange when the caller is standard C library under your >> control. > > I don't follow this. If libc can't rely on standards conformance from itself then other code stands no chance. Libc here is the caller which is well under control because of the same codebase. It means that n*size check can be easily added before malloc call instead of using side effects with hidden logic. As I mention initially, literal enough checks is what we need to make logic clear. In the case we discuss realloc() can be changed by reallocf() which does n*size and NULL checks and literal "if" should be added before malloc() to check overflow. -- http://ache.vniz.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5368162A.9000002>