On 06.05.2014 1:43, David Chisnall wrote: > While reallocf() is nice, it doesn't address the problem of overflow. It > takes a single size, forcing the caller to do the number-of-elements * > element-size multiplication, which is the problematic one. If an attacker > can control the number of elements, then it's possible to make the > multiplication overflow so reallocf() will return a valid pointer to an area > of memory that is much smaller than the caller was expecting.
For standard malloc/realloc interface it is up to the caller to check n*size not overflows. You must trust caller already does such check. Using calloc() to enforce it instead of caller is semantically wrong, and especially strange when the caller is standard C library under your control. -- http://ache.vniz.net/ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"