gnutls_calloc

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gnutls_calloc

From:	Werner Koch
Subject:	gnutls_calloc
Date:	Wed, 17 Sep 2008 11:06:58 +0200
User-agent:	Gnus/5.110007 (No Gnus v0.7)

Hi,

as it happens I stepped over some gnutls code and noticed

  void *
  _gnutls_calloc (size_t nmemb, size_t size)
  {
    void *ret;
    size *= nmemb;
    ret = gnutls_malloc (size);
    if (ret != NULL)
      memset (ret, 0, size);
    return ret;
  }
  
in lib/gnutls_mem.c (2.4.1 as well as in older versions).

That code may lead to an integer overflow.  I don't know how it is used
and whether there is a way to actually exploit it but for general code
cleanness, it should be fixed.  Gnulib has xsize macros to use for this
purpose or you may just change it this way:

  void *
  _gnutls_calloc (size_t nmemb, size_t size)
  {
    void *ret;
    size_t nbytes;
  
    nbytes = nmemb * size;
    if (size && nbytes / size != nmemb) 
      {
        errno = ENOMEM;
        return NULL;
      }
  
    ret = gnutls_malloc (nbytes);
    if (ret != NULL)
      memset (ret, 0, nbytes);
    return ret;
  }
  


Shalom-Salam,

   Werner


-- 
Linux-Kongress 2008 + Hamburg + October 7-10 + www.linux-kongress.org

   Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

[Prev in Thread]

Current Thread

[Next in Thread]

gnutls_calloc, Werner Koch <=
- Re: gnutls_calloc, Simon Josefsson, 2008/09/17
- Re: gnutls_calloc, Werner Koch, 2008/09/17
  - Re: gnutls_calloc, Simon Josefsson, 2008/09/17
    - Re: gnutls_calloc, Daniel Kahn Gillmor, 2008/09/17
    - Re: gnutls_calloc, Simon Josefsson, 2008/09/17

Prev by Date: Re: 2.5.7 gnutls_x509_privkey_generate() returns GNUTLS_E_INVALID_REQUEST
Next by Date: Re: 2.5.7 gnutls_x509_privkey_generate() returns GNUTLS_E_INVALID_REQUEST
Previous by thread: 2.5.7 gnutls_x509_privkey_generate() returns GNUTLS_E_INVALID_REQUEST
Next by thread: Re: gnutls_calloc
Index(es):
- Date
- Thread