[PATCH] Shield against malloc() integer overflow
Dmitry V. Levin
ldv at altlinux.org
Wed Sep 29 23:06:30 UTC 2010
On Wed, Sep 29, 2010 at 11:57:19PM +0200, Lubomir Rintel wrote:
> Ridiculously high -s arguments could trigger an integer overflow and
> result in less memory allocated than desired and in turn a heap overflow
> and crash. Or at least annoy valgrind:
This is "garbage in garbage out" principle in action: if you specify an
invalid argument to -s, it is not surprising that you get an invalid result.
If you really want a foolproof handling of command line arguments, you'd
also have to replace atoi(3) calls with something more appropriate, most
likely with a wrapper around strtol(3), e.g.
http://git.altlinux.org/people/ldv/packages/?p=popa3d.git;a=blob;f=popa3d/protocol.c#l163
> - if (!outstr)
> + if (!outstr && (INT_MAX - sizeof "\"...\"") / 4 > max_strlen)
> outstr = malloc(4 * max_strlen + sizeof "\"...\"");
I'd prefer to check the argument that is going to be passed to malloc(3).
For example,
if (!outstr) {
size_t malloc_size = 4 * max_strlen + sizeof "\"...\"";
if (malloc_size >= sizeof "\"...\"" &&
(malloc_size - sizeof "\"...\"") / 4 == max_strlen)
outstr = malloc(malloc_size);
}
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20100930/86dde325/attachment.bin>
More information about the Strace-devel
mailing list