On 5 May 2014, at 22:33, Warner Losh <i...@bsdimp.com> wrote: > reallocf(): > The reallocf() function is identical to the realloc() function, except > that it will free the passed pointer when the requested memory cannot be > allocated. This is a FreeBSD specific API designed to ease the problems > with traditional coding styles for realloc() causing memory leaks in > libraries. > ... > The reallocf() function first appeared in FreeBSD 3.0.
While reallocf() is nice, it doesn't address the problem of overflow. It takes a single size, forcing the caller to do the number-of-elements * element-size multiplication, which is the problematic one. If an attacker can control the number of elements, then it's possible to make the multiplication overflow so reallocf() will return a valid pointer to an area of memory that is much smaller than the caller was expecting. David _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
