- Use reallocarray for integer overflow protection, patch submitted

by Loganaden Velvindron. git-svn-id: file:///svn/unbound/trunk@3365 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2015-03-17 08:24:24 +00:00 · 2015-03-17 08:24:24 +00:00 · 63b5d109f8
commit 63b5d109f8
parent b629cdac02
11 changed files with 74 additions and 11 deletions
--- a/Makefile.in
+++ b/Makefile.in
@ -131,7 +131,7 @@ compat/memcmp.c compat/memmove.c compat/snprintf.c compat/strlcat.c \
 compat/strlcpy.c compat/strptime.c compat/getentropy_linux.c \
 compat/getentropy_osx.c compat/getentropy_solaris.c compat/getentropy_win.c \
 compat/explicit_bzero.c compat/arc4random.c compat/arc4random_uniform.c \
-compat/arc4_lock.c compat/sha512.c
+compat/arc4_lock.c compat/sha512.c compat/reallocarray.c
 COMPAT_OBJ=$(LIBOBJS:.o=.lo)
 COMPAT_OBJ_WITHOUT_CTIME=$(LIBOBJ_WITHOUT_CTIME:.o=.lo)
 COMPAT_OBJ_WITHOUT_CTIMEARC4=$(LIBOBJ_WITHOUT_CTIMEARC4:.o=.lo)
@ -1217,6 +1217,7 @@ memmove.lo memmove.o: $(srcdir)/compat/memmove.c config.h
 snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
 strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
 strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
+reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
 getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
 
--- a/acx_nlnetlabs.m4
+++ b/acx_nlnetlabs.m4
@ -2,7 +2,8 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 26
+# Version 27
+# 2015-03-17 AHX_CONFIG_REALLOCARRAY added
 # 2013-09-19 FLTO help text improved.
 # 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
 # 2013-06-25 FLTO has --disable-flto option.
@ -1213,6 +1214,16 @@ struct tm *gmtime_r(const time_t *timep, struct tm *result);
 #endif
 ])

+dnl provide reallocarray compat prototype.
+dnl $1: unique name for compat code
+AC_DEFUN([AHX_CONFIG_REALLOCARRAY],
+[
+#ifndef HAVE_REALLOCARRAY
+#define reallocarray reallocarray$1
+void* reallocarray(void *ptr, size_t nmemb, size_t size);
+#endif
+])
+
 dnl provide w32 compat definition for sleep
 AC_DEFUN([AHX_CONFIG_W32_SLEEP],
 [
--- a/compat/reallocarray.c
+++ b/compat/reallocarray.c
@ -15,6 +15,7 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

+#include "config.h"
 #include <sys/types.h>
 #include <errno.h>
 #include <stdint.h>
--- a/config.h.in
+++ b/config.h.in
@ -70,6 +70,10 @@
   if you don't. */
 #undef HAVE_DECL_NID_X9_62_PRIME256V1

+/* Define to 1 if you have the declaration of `reallocarray', and to 0 if you
+   don't. */
+#undef HAVE_DECL_REALLOCARRAY
+
 /* Define to 1 if you have the declaration of `sk_SSL_COMP_pop_free', and to 0
   if you don't. */
 #undef HAVE_DECL_SK_SSL_COMP_POP_FREE
@ -266,6 +270,9 @@
 /* Define to 1 if you have the `random' function. */
 #undef HAVE_RANDOM

+/* Define to 1 if you have the `reallocarray' function. */
+#undef HAVE_REALLOCARRAY
+
 /* Define to 1 if you have the `recvmsg' function. */
 #undef HAVE_RECVMSG

@ -889,6 +896,12 @@ struct tm *gmtime_r(const time_t *timep, struct tm *result);
 #endif


+#ifndef HAVE_REALLOCARRAY
+#define reallocarray reallocarrayunbound
+void* reallocarray(void *ptr, size_t nmemb, size_t size);
+#endif
+
+
 #if !defined(HAVE_SLEEP) || defined(HAVE_WINDOWS_H)
 #define sleep(x) Sleep((x)*1000) /* on win32 */
 #endif /* HAVE_SLEEP */
@ -954,6 +967,9 @@ uint32_t arc4random(void);
 #  if !HAVE_DECL_ARC4RANDOM_UNIFORM && defined(HAVE_ARC4RANDOM_UNIFORM)
 uint32_t arc4random_uniform(uint32_t upper_bound);
 #  endif
+#  if !HAVE_DECL_REALLOCARRAY
+void *reallocarray(void *ptr, size_t nmemb, size_t size);
+#  endif
 #endif /* HAVE_LIBRESSL */
 #ifndef HAVE_ARC4RANDOM
 void explicit_bzero(void* buf, size_t len);
--- a/24
+++ b/24
@ -16729,6 +16729,16 @@ fi
 cat >>confdefs.h <<_ACEOF
 #define HAVE_DECL_ARC4RANDOM_UNIFORM $ac_have_decl
 _ACEOF
+ac_fn_c_check_decl "$LINENO" "reallocarray" "ac_cv_have_decl_reallocarray" "$ac_includes_default"
+if test "x$ac_cv_have_decl_reallocarray" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_REALLOCARRAY $ac_have_decl
+_ACEOF

 else
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
@ -18137,6 +18147,20 @@ esac
 fi


+ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
+if test "x$ac_cv_func_reallocarray" = xyes; then :
+  $as_echo "#define HAVE_REALLOCARRAY 1" >>confdefs.h
+
+else
+  case " $LIBOBJS " in
+  *" reallocarray.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS reallocarray.$ac_objext"
+ ;;
+esac
+
+fi
+
+
 LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"

 if test "$USE_NSS" = "no"; then
--- a/configure.ac
+++ b/configure.ac
@ -569,7 +569,7 @@ if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL
 	AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
 	# libressl provides these compat functions, but they may also be
 	# declared by the OS in libc.  See if they have been declared.
-	AC_CHECK_DECLS([strlcpy,strlcat,arc4random,arc4random_uniform])
+	AC_CHECK_DECLS([strlcpy,strlcat,arc4random,arc4random_uniform,reallocarray])
 else
 	AC_MSG_RESULT([no])
 fi
@ -996,6 +996,7 @@ AC_REPLACE_FUNCS(strlcat)
 AC_REPLACE_FUNCS(strlcpy)
 AC_REPLACE_FUNCS(memmove)
 AC_REPLACE_FUNCS(gmtime_r)
+AC_REPLACE_FUNCS(reallocarray)
 LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
 AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
 if test "$USE_NSS" = "no"; then
@ -1236,6 +1237,7 @@ AHX_CONFIG_MEMMOVE(unbound)
 AHX_CONFIG_STRLCAT(unbound)
 AHX_CONFIG_STRLCPY(unbound)
 AHX_CONFIG_GMTIME_R(unbound)
+AHX_CONFIG_REALLOCARRAY(unbound)
 AHX_CONFIG_W32_SLEEP
 AHX_CONFIG_W32_USLEEP
 AHX_CONFIG_W32_RANDOM
@ -1269,6 +1271,9 @@ uint32_t arc4random(void);
 #  if !HAVE_DECL_ARC4RANDOM_UNIFORM && defined(HAVE_ARC4RANDOM_UNIFORM)
 uint32_t arc4random_uniform(uint32_t upper_bound);
 #  endif
+#  if !HAVE_DECL_REALLOCARRAY
+void *reallocarray(void *ptr, size_t nmemb, size_t size);
+#  endif
 #endif /* HAVE_LIBRESSL */
 #ifndef HAVE_ARC4RANDOM
 void explicit_bzero(void* buf, size_t len);
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,7 @@
+17 March 2015: Wouter
+	- Use reallocarray for integer overflow protection, patch submitted
+	  by Loganaden Velvindron.
+
 16 March 2015: Wouter
 	- Fixup compile on cygwin, more portable openssl thread id.

--- a/libunbound/context.c
+++ b/libunbound/context.c
@ -360,7 +360,7 @@ context_serialize_cancel(struct ctx_query* q, uint32_t* len)
 	/* format of cancel:
 	 * 	o uint32 cmd
 	 * 	o uint32 async-id */
-	uint8_t* p = (uint8_t*)malloc(2*sizeof(uint32_t));
+	uint8_t* p = (uint8_t*)reallocarray(NULL, sizeof(uint32_t), 2);
 	if(!p) return NULL;
 	*len = 2*sizeof(uint32_t);
 	sldns_write_uint32(p, UB_LIBCMD_CANCEL);
--- a/util/config_file.c
+++ b/util/config_file.c
@ -454,7 +454,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	{ IS_NUMBER_OR_ZERO; cfg->val_sig_skew_max = (int32_t)atoi(val); }
 	else if (strcmp(opt, "outgoing-interface:") == 0) {
 		char* d = strdup(val);
-		char** oi = (char**)malloc((cfg->num_out_ifs+1)*sizeof(char*));
+		char** oi = 
+		(char**)reallocarray(NULL, (cfg->num_out_ifs+1), sizeof(char*));
 		if(!d || !oi) { free(d); free(oi); return -1; }
 		if(cfg->out_ifs && cfg->num_out_ifs) {
 			memmove(oi, cfg->out_ifs, cfg->num_out_ifs*sizeof(char*));
@ -1001,7 +1002,7 @@ int cfg_condense_ports(struct config_file* cfg, int** avail)
 	*avail = NULL;
 	if(num == 0)
 		return 0;
-	*avail = (int*)malloc(sizeof(int)*num);
+	*avail = (int*)reallocarray(NULL, num, sizeof(int));
 	if(!*avail)
 		return 0;
 	for(i=0; i<65536; i++) {
--- a/util/net_help.c
+++ b/util/net_help.c
@ -789,8 +789,8 @@ int ub_openssl_lock_init(void)
 {
 #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
 	int i;
-	ub_openssl_locks = (lock_basic_t*)malloc(
-		sizeof(lock_basic_t)*CRYPTO_num_locks());
+	ub_openssl_locks = (lock_basic_t*)reallocarray(
+		NULL, CRYPTO_num_locks(), sizeof(lock_basic_t));
 	if(!ub_openssl_locks)
 		return 0;
 	for(i=0; i<CRYPTO_num_locks(); i++) {
--- a/validator/val_anchor.c
+++ b/validator/val_anchor.c
@ -882,14 +882,14 @@ assemble_it(struct trust_anchor* ta, size_t num, uint16_t type)
 	memset(pd, 0, sizeof(*pd));
 	pd->count = num;
 	pd->trust = rrset_trust_ultimate;
-	pd->rr_len = (size_t*)malloc(num*sizeof(size_t));
+	pd->rr_len = (size_t*)reallocarray(NULL, num, sizeof(size_t));
 	if(!pd->rr_len) {
 		free(pd);
 		free(pkey->rk.dname);
 		free(pkey);
 		return NULL;
 	}
-	pd->rr_ttl = (time_t*)malloc(num*sizeof(time_t));
+	pd->rr_ttl = (time_t*)reallocarray(NULL, num, sizeof(time_t));
 	if(!pd->rr_ttl) {
 		free(pd->rr_len);
 		free(pd);
@ -897,7 +897,7 @@ assemble_it(struct trust_anchor* ta, size_t num, uint16_t type)
 		free(pkey);
 		return NULL;
 	}
-	pd->rr_data = (uint8_t**)malloc(num*sizeof(uint8_t*));
+	pd->rr_data = (uint8_t**)reallocarray(NULL, num, sizeof(uint8_t*));
 	if(!pd->rr_data) {
 		free(pd->rr_ttl);
 		free(pd->rr_len);