[gnutls-devel] GnuTLS | Ensure array allocations overflow safe (#1179)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Feb 8 09:02:02 CET 2021



Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1179



As mentioned in the [comment](https://gitlab.com/gnutls/gnutls/-/merge_requests/1379#note_493204236), there are several occasions where arrays are allocated with `gnutls_malloc` without proper overflow checks:
```console
git grep -E 'gnutls_malloc(\(sizeof\(.*\) *\* *.*\)|\(.* *\* *sizeof\(.*\))
cert-cred-x509.c:       pcerts = gnutls_malloc(sizeof(gnutls_pcert_st) * count);
cert-cred-x509.c:       ccert = gnutls_malloc(sizeof(*ccert)*MAX_PKCS11_CERT_CHA
cert-cred-x509.c:       pcerts = gnutls_malloc(sizeof(gnutls_pcert_st) * count);
cert-cred-x509.c:       ccert = gnutls_malloc(sizeof(*ccert)*MAX_PKCS11_CERT_CHA
IN);
cert-cred-x509.c:       pcerts = gnutls_malloc(sizeof(gnutls_pcert_st) * cert_list_size);
cert-cred-x509.c:       new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t));
cert-cred-x509.c:       gnutls_x509_crl_t *new_crl = gnutls_malloc(crl_list_size * sizeof(gnutls_x509_crl_t));
cert-cred.c:    new_pcert_list = gnutls_malloc(sizeof(gnutls_pcert_st) * pcert_list_size);
cert-cred.c:    local_certs = gnutls_malloc(sizeof(gnutls_pcert_st) * ncerts);
pcert.c:        crt = gnutls_malloc((*pcert_list_size) * sizeof(gnutls_x509_crt_t));
pkcs11.c:           gnutls_malloc(sizeof(gnutls_buffer_st) * list->key_ids_size);
pkcs11.c:       ctx = gnutls_malloc(OBJECTS_A_TIME*sizeof(ctx[0]));
x509/crl.c:     *crls = gnutls_malloc(sizeof(gnutls_x509_crl_t) * init);
x509/ocsp.c:            *ocsps = gnutls_malloc(1*sizeof(gnutls_ocsp_resp_t));
x509/verify-high2.c:    xcrt_list = gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size);
x509/verify-high2.c:    xcrt_list = gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size);
x509/x509.c:    *certs = gnutls_malloc(sizeof(gnutls_x509_crt_t) * init);
x509/x509.c:    *certs = gnutls_malloc(total*sizeof(gnutls_x509_crt_t));
```
I assume most of them are for internal use, but it would be nice to replace them with `gnutls_calloc` unless there is any good reason to do the check by ourselves.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1179
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210208/a9f0866b/attachment.html>


More information about the Gnutls-devel mailing list