Date: Mon, 5 May 2014 22:43:52 +0100 From: David Chisnall <theraven@FreeBSD.org> To: Warner Losh <imp@bsdimp.com> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, Pedro Giffuni <pfg@FreeBSD.org>, Andrey Chernov <ache@freebsd.org>, src-committers <src-committers@freebsd.org> Subject: Re: svn commit: r265367 - head/lib/libc/regex Message-ID: <A4B5E0E8-93CB-4E80-9065-5D25A007B726@FreeBSD.org> In-Reply-To: <7D7A417E-17C3-4001-8E79-0B57636A70E1@gmail.com> References: <201405051641.s45GfFje086423@svn.freebsd.org> <5367CD77.40909@freebsd.org> <B11B5B25-8E05-4225-93D5-3A607332F19A@FreeBSD.org> <5367EB54.1080109@FreeBSD.org> <3C7CFFB7-5C84-4AC1-9A81-C718D184E87B@FreeBSD.org> <7D7A417E-17C3-4001-8E79-0B57636A70E1@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5 May 2014, at 22:33, Warner Losh <imp@bsdimp.com> wrote: > reallocf(): > The reallocf() function is identical to the realloc() function, = except > that it will free the passed pointer when the requested memory = cannot be > allocated. This is a FreeBSD specific API designed to ease the = problems > with traditional coding styles for realloc() causing memory leaks = in > libraries. > ... > The reallocf() function first appeared in FreeBSD 3.0. While reallocf() is nice, it doesn't address the problem of overflow. = It takes a single size, forcing the caller to do the number-of-elements = * element-size multiplication, which is the problematic one. If an = attacker can control the number of elements, then it's possible to make = the multiplication overflow so reallocf() will return a valid pointer to = an area of memory that is much smaller than the caller was expecting. =20= David
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A4B5E0E8-93CB-4E80-9065-5D25A007B726>