[PATCH] Shield against malloc() integer overflow
Dmitry V. Levin
ldv at altlinux.org
Wed Sep 29 23:27:37 UTC 2010
On Thu, Sep 30, 2010 at 03:06:30AM +0400, Dmitry V. Levin wrote:
> On Wed, Sep 29, 2010 at 11:57:19PM +0200, Lubomir Rintel wrote:
[...]
> > - if (!outstr)
> > + if (!outstr && (INT_MAX - sizeof "\"...\"") / 4 > max_strlen)
> > outstr = malloc(4 * max_strlen + sizeof "\"...\"");
BTW, your check is too restrictive: it may reject legitimate values like
(INT_MAX - sizeof "\"...\"") / 4
For example, if INT_MAX==2147483647, then 536870910 would be unjustly
rejected.
> I'd prefer to check the argument that is going to be passed to malloc(3).
> For example,
> if (!outstr) {
> size_t malloc_size = 4 * max_strlen + sizeof "\"...\"";
> if (malloc_size >= sizeof "\"...\"" &&
> (malloc_size - sizeof "\"...\"") / 4 == max_strlen)
> outstr = malloc(malloc_size);
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20100930/666b38b7/attachment.bin>
More information about the Strace-devel
mailing list