diff options
| author | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-03-29 23:02:34 +0200 |
|---|---|---|
| committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-05-27 21:30:48 +0200 |
| commit | 9232671764ff40285d5b1b846a118fc80020dd64 (patch) | |
| tree | b3b7446d7cfdb5974401639de4c9249d47b3cdc9 /src | |
| parent | 5e4fd0533c99c75cb27137ab469e2ce1e3efaf72 (diff) | |
SECURITY: Refuse negative and large store allocations
Based on Phil Pennock's commits b34d3046 and e6c1606a. Done by Qualys.
(cherry picked from commit 09d36bd64fc5bf71d8882af35c41ac4e8599acc1)
(cherry picked from commit f9c58fb385343b8e3fa13988efcbd30ae3285ea7)
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/store.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/src/src/store.c b/src/src/store.c index a038c4abb..2a32e9b5c 100644 --- a/src/src/store.c +++ b/src/src/store.c @@ -274,12 +274,10 @@ A zero size might be also suspect, but our internal usage deliberately does this to return a current watermark value for a later release of allocated store. */ -if (size < 0) - { +if (size < 0 || size >= INT_MAX/2) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "bad memory allocation requested (%d bytes) at %s %d", size, func, linenumber); - } /* Round up the size to a multiple of the alignment. Although this looks a messy statement, because "alignment" is a constant expression, the compiler can @@ -430,12 +428,10 @@ int pool = tainted ? store_pool + POOL_TAINT_BASE : store_pool; int inc = newsize - oldsize; int rounded_oldsize = oldsize; -if (newsize < 0) - { +if (oldsize < 0 || newsize < oldsize || newsize >= INT_MAX/2) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "bad memory extension requested (%d -> %d bytes) at %s %d", oldsize, newsize, func, linenumber); - } /* Check that the block being extended was already of the required taint status; refuse to extend if not. */ @@ -804,6 +800,11 @@ if (is_tainted(block) != tainted) die_tainted(US"store_newblock", CUS func, linenumber); #endif +if (len < 0 || len > newsize) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory extension requested (%d -> %d bytes) at %s %d", + len, newsize, func, linenumber); + newtext = store_get(newsize, tainted); memcpy(newtext, block, len); if (release_ok) store_release_3(block, pool, func, linenumber); @@ -834,6 +835,11 @@ internal_store_malloc(int size, const char *func, int line) { void * yield; +if (size < 0 || size >= INT_MAX/2) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory allocation requested (%d bytes) at %s %d", + size, func, line); + size += sizeof(int); /* space to store the size, used under debug */ if (size < 16) size = 16; |