Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / strace / aa524c88c49814863cb7f19e5c8a8eeca6ce22fe^! / . / util.c
commitaa524c88c49814863cb7f19e5c8a8eeca6ce22fe[log] [tgz]
authorRoland McGrath <roland@redhat.com>Wed Jun 01 19:22:06 2005 +0000
committerRoland McGrath <roland@redhat.com>Wed Jun 01 19:22:06 2005 +0000
treea2990277e60e1f07e3ffee8e7d0fe0ff42944531
parentb422e0d47dd81daa7d7df359f1237c7aaea173cb [diff] [blame]
2005-05-31  Dmitry V. Levin  <ldv@altlinux.org>

	Deal with memory management issues.
	* defs.h (tprint_iov): Update prototype.
	* desc.c (sys_epoll_wait) [HAVE_SYS_EPOLL_H]: Do not allocate
	epoll_event array of arbitrary size on the stack, to avoid
	stack overflow.
	* file.c (print_xattr_val): Check for integer overflow during
	malloc size calculation, to avoid heap corruption.
	* io.c (tprint_iov) [HAVE_SYS_UIO_H]: Check for integer overflow
	during malloc size calculation, to avoid heap corruption.
	Change iovec array handling to avoid heap memory allocation.
	* mem.c (get_nodes) [LINUX]: Check for integer overflow during
	size calculation and do not allocate array of arbitrary size on
	the stack, to avoid stack overflow.
	* net.c (printcmsghdr) [HAVE_SENDMSG]: Do not allocate array of
	arbitrary size on the stack, to avoid stack overflow.  Do not
	trust cmsg.cmsg_len to avoid read beyond the end of allocated
	object.
	(printmsghdr) [HAVE_SENDMSG]: Update tprint_iov() usage.
	* process.c (sys_setgroups): Check for integer overflow during
	malloc size calculation, to avoid heap corruption.  Change gid_t
	array handling to avoid heap memory allocation.
	(sys_getgroups): Likewise.
	(sys_setgroups32) [LINUX]: Likewise.
	(sys_getgroups32) [LINUX]: Likewise.
	* stream.c (sys_poll) [HAVE_SYS_POLL_H]: Check for integer
	overflow during malloc size calculation, to avoid heap corruption.
	Change pollfd array handling to avoid heap memory allocation.
	* system.c (sys_sysctl) [LINUX]: Check for integer overflow
	during malloc size calculation, to avoid heap corruption.
	* util.c (dumpiov) [HAVE_SYS_UIO_H]: Check for integer overflow
	during malloc size calculation, to avoid heap corruption.
	Fixes RH#159196.

diff --git a/util.c b/util.c
index d92c0ea..e477cf1 100644
--- a/util.c
+++ b/util.c

@@ -532,15 +532,15 @@
 {
 	struct iovec *iov;
 	int i;
+	unsigned long size;
 
-
-	if ((iov = (struct iovec *) malloc(len * sizeof *iov)) == NULL) {
-		fprintf(stderr, "dump: No memory");
+	size = sizeof(*iov) * (unsigned long) len;
+	if (size / sizeof(*iov) != len
+	    || (iov = (struct iovec *) malloc(size)) == NULL) {
+		fprintf(stderr, "out of memory\n");
 		return;
 	}
-	if (umoven(tcp, addr,
-		   len * sizeof *iov, (char *) iov) >= 0) {
-
+	if (umoven(tcp, addr, size, (char *) iov) >= 0) {
 		for (i = 0; i < len; i++) {
                         /* include the buffer number to make it easy to
                          * match up the trace with the source */