gnutls_calloc
Werner Koch
wk at gnupg.org
Wed Sep 17 11:06:58 CEST 2008
Hi,
as it happens I stepped over some gnutls code and noticed
void *
_gnutls_calloc (size_t nmemb, size_t size)
{
void *ret;
size *= nmemb;
ret = gnutls_malloc (size);
if (ret != NULL)
memset (ret, 0, size);
return ret;
}
in lib/gnutls_mem.c (2.4.1 as well as in older versions).
That code may lead to an integer overflow. I don't know how it is used
and whether there is a way to actually exploit it but for general code
cleanness, it should be fixed. Gnulib has xsize macros to use for this
purpose or you may just change it this way:
void *
_gnutls_calloc (size_t nmemb, size_t size)
{
void *ret;
size_t nbytes;
nbytes = nmemb * size;
if (size && nbytes / size != nmemb)
{
errno = ENOMEM;
return NULL;
}
ret = gnutls_malloc (nbytes);
if (ret != NULL)
memset (ret, 0, nbytes);
return ret;
}
Shalom-Salam,
Werner
--
Linux-Kongress 2008 + Hamburg + October 7-10 + www.linux-kongress.org
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnutls-devel
mailing list