[PATCH] Shield against malloc() integer overflow

Dmitry V. Levin ldv at altlinux.org
Wed Sep 29 23:27:37 UTC 2010


On Thu, Sep 30, 2010 at 03:06:30AM +0400, Dmitry V. Levin wrote:
> On Wed, Sep 29, 2010 at 11:57:19PM +0200, Lubomir Rintel wrote:
[...]
> > -	if (!outstr)
> > +	if (!outstr && (INT_MAX - sizeof "\"...\"") / 4 > max_strlen)
> >  		outstr = malloc(4 * max_strlen + sizeof "\"...\"");

BTW, your check is too restrictive: it may reject legitimate values like
(INT_MAX - sizeof "\"...\"") / 4
For example, if INT_MAX==2147483647, then 536870910 would be unjustly
rejected.

> I'd prefer to check the argument that is going to be passed to malloc(3).
> For example,
> 	if (!outstr) {
> 		size_t malloc_size = 4 * max_strlen + sizeof "\"...\"";
> 		if (malloc_size >= sizeof "\"...\"" &&
> 		    (malloc_size - sizeof "\"...\"") / 4 == max_strlen)
> 			outstr = malloc(malloc_size);


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20100930/666b38b7/attachment.bin>


More information about the Strace-devel mailing list