gnutls_calloc

Wed Sep 17 13:02:58 CEST 2008

Werner Koch <wk at gnupg.org> writes:

> Hi,
>
> as it happens I stepped over some gnutls code and noticed
>
>   void *
>   _gnutls_calloc (size_t nmemb, size_t size)
>   {
>     void *ret;
>     size *= nmemb;
>     ret = gnutls_malloc (size);
>     if (ret != NULL)
>       memset (ret, 0, size);
>     return ret;
>   }
>   
> in lib/gnutls_mem.c (2.4.1 as well as in older versions).
>
> That code may lead to an integer overflow.  I don't know how it is used
> and whether there is a way to actually exploit it but for general code
> cleanness, it should be fixed.  Gnulib has xsize macros to use for this
> purpose or you may just change it this way:

I used xsize macros instead (we already had xsize.h in lgl/).  Please
review:

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9e576dbebf3352b4ae9fc02f276a6b886f05f808

Thanks,
Simon

>   void *
>   _gnutls_calloc (size_t nmemb, size_t size)
>   {
>     void *ret;
>     size_t nbytes;
>   
>     nbytes = nmemb * size;
>     if (size && nbytes / size != nmemb) 
>       {
>         errno = ENOMEM;
>         return NULL;
>       }
>   
>     ret = gnutls_malloc (nbytes);
>     if (ret != NULL)
>       memset (ret, 0, nbytes);
>     return ret;
>   }
>   
>
>
> Shalom-Salam,
>
>    Werner
>
>
> -- 
> Linux-Kongress 2008 + Hamburg + October 7-10 + www.linux-kongress.org
>
>    Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.