[PATCH] Shield against malloc() integer overflow

Dmitry V. Levin ldv at altlinux.org
Wed Sep 29 23:06:30 UTC 2010

On Wed, Sep 29, 2010 at 11:57:19PM +0200, Lubomir Rintel wrote:
> Ridiculously high -s arguments could trigger an integer overflow and
> result in less memory allocated than desired and in turn a heap overflow
> and crash. Or at least annoy valgrind:

This is "garbage in garbage out" principle in action: if you specify an
invalid argument to -s, it is not surprising that you get an invalid result.

If you really want a foolproof handling of command line arguments, you'd
also have to replace atoi(3) calls with something more appropriate, most
likely with a wrapper around strtol(3), e.g.

> -	if (!outstr)
> +	if (!outstr && (INT_MAX - sizeof "\"...\"") / 4 > max_strlen)
>  		outstr = malloc(4 * max_strlen + sizeof "\"...\"");

I'd prefer to check the argument that is going to be passed to malloc(3).
For example,
	if (!outstr) {
		size_t malloc_size = 4 * max_strlen + sizeof "\"...\"";
		if (malloc_size >= sizeof "\"...\"" &&
		    (malloc_size - sizeof "\"...\"") / 4 == max_strlen)
			outstr = malloc(malloc_size);

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20100930/86dde325/attachment.bin>

More information about the Strace-devel mailing list