diff options
| author | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-03-29 23:02:34 +0200 |
|---|---|---|
| committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-05-27 21:30:48 +0200 |
| commit | 9232671764ff40285d5b1b846a118fc80020dd64 (patch) | |
| tree | b3b7446d7cfdb5974401639de4c9249d47b3cdc9 | |
| parent | 5e4fd0533c99c75cb27137ab469e2ce1e3efaf72 (diff) | |
SECURITY: Refuse negative and large store allocations
Based on Phil Pennock's commits b34d3046 and e6c1606a. Done by Qualys.
(cherry picked from commit 09d36bd64fc5bf71d8882af35c41ac4e8599acc1)
(cherry picked from commit f9c58fb385343b8e3fa13988efcbd30ae3285ea7)
| -rw-r--r-- | src/src/store.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/src/src/store.c b/src/src/store.c index a038c4abb..2a32e9b5c 100644 --- a/src/src/store.c +++ b/src/src/store.c @@ -274,12 +274,10 @@ A zero size might be also suspect, but our internal usage deliberately does this to return a current watermark value for a later release of allocated store. */ -if (size < 0) - { +if (size < 0 || size >= INT_MAX/2) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "bad memory allocation requested (%d bytes) at %s %d", size, func, linenumber); - } /* Round up the size to a multiple of the alignment. Although this looks a messy statement, because "alignment" is a constant expression, the compiler can @@ -430,12 +428,10 @@ int pool = tainted ? store_pool + POOL_TAINT_BASE : store_pool; int inc = newsize - oldsize; int rounded_oldsize = oldsize; -if (newsize < 0) - { +if (oldsize < 0 || newsize < oldsize || newsize >= INT_MAX/2) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "bad memory extension requested (%d -> %d bytes) at %s %d", oldsize, newsize, func, linenumber); - } /* Check that the block being extended was already of the required taint status; refuse to extend if not. */ @@ -804,6 +800,11 @@ if (is_tainted(block) != tainted) die_tainted(US"store_newblock", CUS func, linenumber); #endif +if (len < 0 || len > newsize) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory extension requested (%d -> %d bytes) at %s %d", + len, newsize, func, linenumber); + newtext = store_get(newsize, tainted); memcpy(newtext, block, len); if (release_ok) store_release_3(block, pool, func, linenumber); @@ -834,6 +835,11 @@ internal_store_malloc(int size, const char *func, int line) { void * yield; +if (size < 0 || size >= INT_MAX/2) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory allocation requested (%d bytes) at %s %d", + size, func, line); + size += sizeof(int); /* space to store the size, used under debug */ if (size < 16) size = 16; |