Skip to content

Commit 1129147

Browse files
ericwolzvaavva
andauthored
Add malloc size checks (#652)
* Add malloc size checks * Update adapters/socketio_berkeley.c Co-authored-by: Valerie Avva Lim <54871851+vaavva@users.noreply.github.com> * Update adapters/string_utils.c Co-authored-by: Valerie Avva Lim <54871851+vaavva@users.noreply.github.com> * PR review --------- Co-authored-by: Valerie Avva Lim <54871851+vaavva@users.noreply.github.com>
1 parent 13ea9a7 commit 1129147

15 files changed

+380
-83
lines changed

Diff for: adapters/httpapi_compact.c

+87-13
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
#include "azure_c_shared_utility/threadapi.h"
1919
#include "azure_c_shared_utility/shared_util_options.h"
2020
#include "azure_c_shared_utility/http_proxy_io.h"
21+
#include "azure_c_shared_utility/safe_math.h"
2122

2223
#ifdef _MSC_VER
2324
#define snprintf _snprintf
@@ -431,7 +432,18 @@ static void on_bytes_received(void* context, const unsigned char* buffer, size_t
431432
else
432433
{
433434
/* Here we got some bytes so we'll buffer them so the receive functions can consumer it */
434-
new_received_bytes = (unsigned char*)realloc(http_instance->received_bytes, http_instance->received_bytes_count + size);
435+
size_t malloc_size = http_instance->received_bytes_count + size;
436+
if (malloc_size < size)
437+
{
438+
// check for int overflow
439+
new_received_bytes = NULL;
440+
LogError("Invalid size parameter");
441+
}
442+
else
443+
{
444+
new_received_bytes = (unsigned char*)realloc(http_instance->received_bytes, malloc_size);
445+
}
446+
435447
if (new_received_bytes == NULL)
436448
{
437449
http_instance->is_io_error = 1;
@@ -1301,15 +1313,25 @@ HTTPAPI_RESULT HTTPAPI_SetOption(HTTP_HANDLE handle, const char* optionName, con
13011313
result = HTTPAPI_OK;
13021314
http_instance->certificate = (char*)value;
13031315
#else
1304-
int len;
13051316

13061317
if (http_instance->certificate)
13071318
{
13081319
free(http_instance->certificate);
13091320
}
13101321

1311-
len = (int)strlen((char*)value);
1312-
http_instance->certificate = (char*)malloc((len + 1) * sizeof(char));
1322+
size_t len = strlen((char*)value);
1323+
size_t malloc_size = safe_add_size_t(len, 1);
1324+
malloc_size = safe_multiply_size_t(malloc_size, sizeof(char));
1325+
if (malloc_size == SIZE_MAX)
1326+
{
1327+
LogError("Invalid malloc size");
1328+
http_instance->certificate = NULL;
1329+
}
1330+
else
1331+
{
1332+
http_instance->certificate = (char*)malloc(malloc_size);
1333+
}
1334+
13131335
if (http_instance->certificate == NULL)
13141336
{
13151337
/*Codes_SRS_HTTPAPI_COMPACT_21_062: [ If any memory allocation get fail, the HTTPAPI_SetOption shall return HTTPAPI_ALLOC_FAILED. ]*/
@@ -1326,14 +1348,24 @@ HTTPAPI_RESULT HTTPAPI_SetOption(HTTP_HANDLE handle, const char* optionName, con
13261348
}
13271349
else if (strcmp(SU_OPTION_X509_CERT, optionName) == 0 || strcmp(OPTION_X509_ECC_CERT, optionName) == 0)
13281350
{
1329-
int len;
13301351
if (http_instance->x509ClientCertificate)
13311352
{
13321353
free(http_instance->x509ClientCertificate);
13331354
}
13341355

1335-
len = (int)strlen((char*)value);
1336-
http_instance->x509ClientCertificate = (char*)malloc((len + 1) * sizeof(char));
1356+
size_t len = strlen((char*)value);
1357+
size_t malloc_size = safe_add_size_t(len, 1);
1358+
malloc_size = safe_multiply_size_t(malloc_size, sizeof(char));
1359+
if (malloc_size == SIZE_MAX)
1360+
{
1361+
LogError("Invalid malloc size");
1362+
http_instance->x509ClientCertificate = NULL;
1363+
}
1364+
else
1365+
{
1366+
http_instance->x509ClientCertificate = (char*)malloc(malloc_size);
1367+
}
1368+
13371369
if (http_instance->x509ClientCertificate == NULL)
13381370
{
13391371
/*Codes_SRS_HTTPAPI_COMPACT_21_062: [ If any memory allocation get fail, the HTTPAPI_SetOption shall return HTTPAPI_ALLOC_FAILED. ]*/
@@ -1349,14 +1381,24 @@ HTTPAPI_RESULT HTTPAPI_SetOption(HTTP_HANDLE handle, const char* optionName, con
13491381
}
13501382
else if (strcmp(SU_OPTION_X509_PRIVATE_KEY, optionName) == 0 || strcmp(OPTION_X509_ECC_KEY, optionName) == 0)
13511383
{
1352-
int len;
13531384
if (http_instance->x509ClientPrivateKey)
13541385
{
13551386
free(http_instance->x509ClientPrivateKey);
13561387
}
13571388

1358-
len = (int)strlen((char*)value);
1359-
http_instance->x509ClientPrivateKey = (char*)malloc((len + 1) * sizeof(char));
1389+
size_t len = strlen((char*)value);
1390+
size_t malloc_size = safe_add_size_t(len, 1);
1391+
malloc_size = safe_multiply_size_t(malloc_size, sizeof(char));
1392+
if (malloc_size == SIZE_MAX)
1393+
{
1394+
LogError("Invalid malloc size");
1395+
http_instance->x509ClientPrivateKey = NULL;
1396+
}
1397+
else
1398+
{
1399+
http_instance->x509ClientPrivateKey = (char*)malloc(malloc_size);
1400+
}
1401+
13601402
if (http_instance->x509ClientPrivateKey == NULL)
13611403
{
13621404
/*Codes_SRS_HTTPAPI_COMPACT_21_062: [ If any memory allocation get fail, the HTTPAPI_SetOption shall return HTTPAPI_ALLOC_FAILED. ]*/
@@ -1482,7 +1524,17 @@ HTTPAPI_RESULT HTTPAPI_CloneOption(const char* optionName, const void* value, co
14821524
result = HTTPAPI_OK;
14831525
#else
14841526
certLen = strlen((const char*)value);
1485-
tempCert = (char*)malloc((certLen + 1) * sizeof(char));
1527+
size_t malloc_size = safe_add_size_t(certLen, 1);
1528+
malloc_size = safe_multiply_size_t(malloc_size, sizeof(char));
1529+
if (malloc_size == SIZE_MAX)
1530+
{
1531+
tempCert = NULL;
1532+
}
1533+
else
1534+
{
1535+
tempCert = (char*)malloc(malloc_size);
1536+
}
1537+
14861538
if (tempCert == NULL)
14871539
{
14881540
/*Codes_SRS_HTTPAPI_COMPACT_21_070: [ If any memory allocation get fail, the HTTPAPI_CloneOption shall return HTTPAPI_ALLOC_FAILED. ]*/
@@ -1500,7 +1552,18 @@ HTTPAPI_RESULT HTTPAPI_CloneOption(const char* optionName, const void* value, co
15001552
else if (strcmp(SU_OPTION_X509_CERT, optionName) == 0 || strcmp(OPTION_X509_ECC_CERT, optionName) == 0)
15011553
{
15021554
certLen = strlen((const char*)value);
1503-
tempCert = (char*)malloc((certLen + 1) * sizeof(char));
1555+
size_t malloc_size = safe_add_size_t(certLen, 1);
1556+
malloc_size = safe_multiply_size_t(malloc_size, sizeof(char));
1557+
if (malloc_size == SIZE_MAX)
1558+
{
1559+
LogError("Invalid malloc size");
1560+
tempCert = NULL;
1561+
}
1562+
else
1563+
{
1564+
tempCert = (char*)malloc(malloc_size);
1565+
}
1566+
15041567
if (tempCert == NULL)
15051568
{
15061569
/*Codes_SRS_HTTPAPI_COMPACT_21_070: [ If any memory allocation get fail, the HTTPAPI_CloneOption shall return HTTPAPI_ALLOC_FAILED. ]*/
@@ -1517,7 +1580,18 @@ HTTPAPI_RESULT HTTPAPI_CloneOption(const char* optionName, const void* value, co
15171580
else if (strcmp(SU_OPTION_X509_PRIVATE_KEY, optionName) == 0 || strcmp(OPTION_X509_ECC_KEY, optionName) == 0)
15181581
{
15191582
certLen = strlen((const char*)value);
1520-
tempCert = (char*)malloc((certLen + 1) * sizeof(char));
1583+
size_t malloc_size = safe_add_size_t(certLen, 1);
1584+
malloc_size = safe_multiply_size_t(malloc_size, sizeof(char));
1585+
if (malloc_size == SIZE_MAX)
1586+
{
1587+
LogError("Invalid malloc size");
1588+
tempCert = NULL;
1589+
}
1590+
else
1591+
{
1592+
tempCert = (char*)malloc(malloc_size);
1593+
}
1594+
15211595
if (tempCert == NULL)
15221596
{
15231597
/*Codes_SRS_HTTPAPI_COMPACT_21_070: [ If any memory allocation get fail, the HTTPAPI_CloneOption shall return HTTPAPI_ALLOC_FAILED. ]*/

Diff for: adapters/httpapi_curl.c

+52-8
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@
2727
#include "mbedtls/ssl.h"
2828
#endif
2929
#include "azure_c_shared_utility/shared_util_options.h"
30+
#include "azure_c_shared_utility/safe_math.h"
3031

3132
#define TEMP_BUFFER_SIZE 1024
3233

@@ -118,8 +119,18 @@ HTTP_HANDLE HTTPAPI_CreateConnection(const char* hostName)
118119
httpHandleData = (HTTP_HANDLE_DATA*)malloc(sizeof(HTTP_HANDLE_DATA));
119120
if (httpHandleData != NULL)
120121
{
121-
size_t hostURL_size = strlen("https://") + strlen(hostName) + 1;
122-
httpHandleData->hostURL = malloc(hostURL_size);
122+
size_t hostURL_size = safe_add_size_t(strlen("https://"), strlen(hostName));
123+
hostURL_size = safe_add_size_t(hostURL_size, 1);
124+
125+
if (hostURL_size == SIZE_MAX)
126+
{
127+
LogError("invalid malloc size");
128+
httpHandleData->hostURL = NULL;
129+
}
130+
else
131+
{
132+
httpHandleData->hostURL = malloc(hostURL_size);
133+
}
123134

124135
if (httpHandleData->hostURL == NULL)
125136
{
@@ -282,7 +293,20 @@ static size_t ContentWriteFunction(void *ptr, size_t size, size_t nmemb, void *u
282293
(ptr != NULL) &&
283294
(size * nmemb > 0))
284295
{
285-
void* newBuffer = realloc(responseContentBuffer->buffer, responseContentBuffer->bufferSize + (size * nmemb));
296+
size_t malloc_size = safe_multiply_size_t(size, nmemb);
297+
malloc_size = safe_add_size_t(malloc_size, responseContentBuffer->bufferSize);
298+
299+
void* newBuffer;
300+
if (malloc_size == SIZE_MAX)
301+
{
302+
LogError("Invalid buffer size");
303+
newBuffer = NULL;
304+
}
305+
else
306+
{
307+
newBuffer = realloc(responseContentBuffer->buffer, malloc_size);
308+
}
309+
286310
if (newBuffer != NULL)
287311
{
288312
responseContentBuffer->buffer = newBuffer;
@@ -291,7 +315,7 @@ static size_t ContentWriteFunction(void *ptr, size_t size, size_t nmemb, void *u
291315
}
292316
else
293317
{
294-
LogError("Could not allocate buffer of size %lu", (unsigned long)(responseContentBuffer->bufferSize + (size * nmemb)));
318+
LogError("Could not allocate buffer of size %lu", (unsigned long)(malloc_size));
295319
responseContentBuffer->error = 1;
296320
if (responseContentBuffer->buffer != NULL)
297321
{
@@ -452,8 +476,18 @@ HTTPAPI_RESULT HTTPAPI_ExecuteRequest(HTTP_HANDLE handle, HTTPAPI_REQUEST_TYPE r
452476
else
453477
{
454478
char* tempHostURL;
455-
size_t tempHostURL_size = strlen(httpHandleData->hostURL) + strlen(relativePath) + 1;
456-
tempHostURL = malloc(tempHostURL_size);
479+
size_t tempHostURL_size = safe_add_size_t(strlen(httpHandleData->hostURL), strlen(relativePath));
480+
tempHostURL_size = safe_add_size_t(tempHostURL_size, 1);
481+
if (tempHostURL_size == SIZE_MAX)
482+
{
483+
LogError("Invalid malloc size");
484+
tempHostURL = NULL;
485+
}
486+
else
487+
{
488+
tempHostURL = malloc(tempHostURL_size);
489+
}
490+
457491
if (tempHostURL == NULL)
458492
{
459493
result = HTTPAPI_ERROR;
@@ -963,8 +997,18 @@ HTTPAPI_RESULT HTTPAPI_SetOption(HTTP_HANDLE handle, const char* optionName, con
963997
{
964998
if (proxy_data->username != NULL && proxy_data->password != NULL)
965999
{
966-
size_t authLen = strlen(proxy_data->username)+strlen(proxy_data->password)+1;
967-
proxy_auth = malloc(authLen+1);
1000+
size_t authLen = safe_add_size_t(strlen(proxy_data->username), strlen(proxy_data->password));
1001+
authLen = safe_add_size_t(authLen, 2);
1002+
if (authLen == SIZE_MAX)
1003+
{
1004+
LogError("Invalid malloc size");
1005+
proxy_auth = NULL;
1006+
}
1007+
else
1008+
{
1009+
proxy_auth = malloc(authLen);
1010+
}
1011+
9681012
if (proxy_auth == NULL)
9691013
{
9701014
LogError("failure allocating proxy authentication");

Diff for: adapters/httpapi_tirtos.c

+12-1
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
#include "azure_c_shared_utility/httpapi.h"
1111
#include "azure_c_shared_utility/strings.h"
1212
#include "azure_c_shared_utility/xlogging.h"
13+
#include "azure_c_shared_utility/safe_math.h"
1314

1415
#define CONTENT_BUF_LEN 128
1516

@@ -198,7 +199,17 @@ HTTPAPI_RESULT HTTPAPI_ExecuteRequest(HTTP_HANDLE handle,
198199
}
199200

200201
if (cnt < offset + ret) {
201-
hname = (char *)realloc(hname, offset + ret);
202+
size_t malloc_size = safe_add_size_t(offset, ret);
203+
if (malloc_size == SIZE_MAX)
204+
{
205+
LogError("invalid realloc size");
206+
hname = NULL;
207+
}
208+
else
209+
{
210+
hname = (char*)realloc(hname, malloc_size);
211+
}
212+
202213
if (hname == NULL) {
203214
LogError("Failed reallocating memory");
204215
ret = HTTPAPI_ALLOC_FAILED;

0 commit comments

Comments
 (0)