faraphel/chrony
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

memory: check for overflow when (re)allocating array

Browse source 
When (re)allocating an array with very large number of elements using
the MallocArray or ReallocArray macros, the calculated size of the array
could overflow size_t and less memory would be allocated than requested.

Add new functions for (re)allocating arrays that check the size and use
them in the MallocArray and ReallocArray macros.

This couldn't be exploited, because all arrays that can grow with cmdmon
or NTP requests already have their size checked before allocation, or
they are much smaller than memory allocated for structures to which they
are related (i.e. ntp_core and sourcestats instances), so a memory
allocation would fail before their size could overflow.

This issue was found in an audit performed by Cure53 and sponsored by
Mozilla.
This commit is contained in:
Miroslav Lichvar 2017-08-24 12:10:46 +02:00
parent f40b0024bd
commit 7ffee73524
3 changed files with 31 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
array.c
View file

@ -66,8 +66,6 @@ ARR_DestroyInstance(ARR_Instance array)
static void static void
realloc_array(ARR_Instance array, unsigned int min_size) realloc_array(ARR_Instance array, unsigned int min_size)
{ {
size_t data_size;
assert(min_size <= 2 * min_size); assert(min_size <= 2 * min_size);
if (array->allocated >= min_size && array->allocated <= 2 * min_size) if (array->allocated >= min_size && array->allocated <= 2 * min_size)
return; return;
@ -79,10 +77,7 @@ realloc_array(ARR_Instance array, unsigned int min_size)
array->allocated = min_size; array->allocated = min_size;
} }
data_size = (size_t)array->elem_size * array->allocated; array->data = Realloc2(array->data, array->allocated, array->elem_size);
assert(data_size / array->elem_size == array->allocated);
array->data = Realloc(array->data, data_size);
} }
void * void *

26
memory.c
View file

@ -54,6 +54,32 @@ Realloc(void *ptr, size_t size)
return r; return r;
} }
static size_t
get_array_size(size_t nmemb, size_t size)
{
size_t array_size;
array_size = nmemb * size;
/* Check for overflow */
if (nmemb > 0 && array_size / nmemb != size)
LOG_FATAL("Could not allocate memory");
return array_size;
}
void *
Malloc2(size_t nmemb, size_t size)
{
return Malloc(get_array_size(nmemb, size));
}
void *
Realloc2(void *ptr, size_t nmemb, size_t size)
{
return Realloc(ptr, get_array_size(nmemb, size));
}
char * char *
Strdup(const char *s) Strdup(const char *s)
{ {

6
memory.h
View file

@ -30,12 +30,14 @@
/* Wrappers checking for errors */ /* Wrappers checking for errors */
extern void *Malloc(size_t size); extern void *Malloc(size_t size);
extern void *Realloc(void *ptr, size_t size); extern void *Realloc(void *ptr, size_t size);
extern void *Malloc2(size_t nmemb, size_t size);
extern void *Realloc2(void *ptr, size_t nmemb, size_t size);
extern char *Strdup(const char *s); extern char *Strdup(const char *s);
/* Convenient macros */ /* Convenient macros */
#define MallocNew(T) ((T *) Malloc(sizeof(T))) #define MallocNew(T) ((T *) Malloc(sizeof(T)))
#define MallocArray(T, n) ((T *) Malloc((n) * sizeof(T))) #define MallocArray(T, n) ((T *) Malloc2(n, sizeof(T)))
#define ReallocArray(T,n,x) ((T *) Realloc((void *)(x), (n)*sizeof(T))) #define ReallocArray(T, n, x) ((T *) Realloc2((void *)(x), n, sizeof(T)))
#define Free(x) free(x) #define Free(x) free(x)
#endif /* GOT_MEMORY_H */ #endif /* GOT_MEMORY_H */