Check for arithmetic overflows before allocating

p11-glue · Dec 11, 2020 · 6c1c94b · 6c1c94b
1 parent 7625cfc
commit 6c1c94b
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 9 deletions.
diff --git a/p11-kit/iter.c b/p11-kit/iter.c
@@ -549,7 +549,7 @@ move_next_session (P11KitIter *iter)
 			if (rv != CKR_OK)
 				return finish_iterating (iter, rv);
 
-			slots = realloc (iter->slots, sizeof (CK_SLOT_ID) * (num_slots + 1));
+			slots = reallocarray (iter->slots, num_slots + 1, sizeof (CK_SLOT_ID));
 			return_val_if_fail (slots != NULL, CKR_HOST_MEMORY);
 			iter->slots = slots;
 
@@ -705,7 +705,7 @@ p11_kit_iter_next (P11KitIter *iter)
 				CK_OBJECT_HANDLE *objects;
 
 				iter->max_objects = iter->max_objects ? iter->max_objects * 2 : 64;
-				objects = realloc (iter->objects, iter->max_objects * sizeof (CK_ULONG));
+				objects = reallocarray (iter->objects, iter->max_objects, sizeof (CK_ULONG));
 				return_val_if_fail (objects != NULL, CKR_HOST_MEMORY);
 				iter->objects = objects;
 			}

diff --git a/p11-kit/lists.c b/p11-kit/lists.c
@@ -64,6 +64,8 @@ hex_encode (const unsigned char *data,
 	size_t i;
 	size_t o;
 
+	if ((SIZE_MAX - 1) / 3 < n_data)
+		return NULL;
 	result = malloc (n_data * 3 + 1);
 	if (result == NULL)
 		return NULL;

diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
@@ -283,7 +283,7 @@ proxy_list_slots (Proxy *py, Mapping *mappings, unsigned int n_mappings)
 
 			new_slots = calloc (count, sizeof(CK_SLOT_ID));
 			return_val_if_fail (new_slots != NULL, CKR_HOST_MEMORY);
-			new_mappings = realloc (py->mappings, sizeof (Mapping) * (py->n_mappings + count));
+			new_mappings = reallocarray (py->mappings, (py->n_mappings + count), sizeof (Mapping));
 			return_val_if_fail (new_mappings != NULL, CKR_HOST_MEMORY);
 			py->mappings = new_mappings;
 

diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
@@ -43,6 +43,7 @@
 #include "rpc-message.h"
 
 #include <assert.h>
+#include <errno.h>
 #include <string.h>
 
 #define ELEMS(x) (sizeof (x) / sizeof (x[0]))
@@ -114,6 +115,18 @@ p11_rpc_message_alloc_extra (p11_rpc_message *msg,
 	return (void *)(data + 1);
 }
 
+void *
+p11_rpc_message_alloc_extra_array (p11_rpc_message *msg,
+				   size_t nmemb,
+				   size_t size)
+{
+	if ((SIZE_MAX - sizeof (void *)) / nmemb < size) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	return p11_rpc_message_alloc_extra (msg, nmemb * size);
+}
+
 bool
 p11_rpc_message_prep (p11_rpc_message *msg,
                       int call_id,

diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
@@ -255,6 +255,10 @@ void             p11_rpc_message_clear                   (p11_rpc_message *msg);
 void *           p11_rpc_message_alloc_extra             (p11_rpc_message *msg,
                                                           size_t length);
 
+void *           p11_rpc_message_alloc_extra_array       (p11_rpc_message *msg,
+                                                          size_t nmemb,
+                                                          size_t size);
+
 bool             p11_rpc_message_prep                    (p11_rpc_message *msg,
                                                           int call_id,
                                                           p11_rpc_message_type type);

diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
@@ -88,7 +88,7 @@ proto_read_byte_buffer (p11_rpc_message *msg,
 	if (length == 0)
 		return CKR_OK;
 
-	*buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_BYTE));
+	*buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_BYTE));
 	if (*buffer == NULL)
 		return CKR_DEVICE_MEMORY;
 
@@ -186,7 +186,7 @@ proto_read_ulong_buffer (p11_rpc_message *msg,
 	if (length == 0)
 		return CKR_OK;
 
-	*buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_ULONG));
+	*buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_ULONG));
 	if (!*buffer)
 		return CKR_DEVICE_MEMORY;
 
@@ -246,7 +246,7 @@ proto_read_attribute_buffer (p11_rpc_message *msg,
 		return PARSE_ERROR;
 
 	/* Allocate memory for the attribute structures */
-	attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE));
+	attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE));
 	if (attrs == NULL)
 		return CKR_DEVICE_MEMORY;
 
@@ -300,7 +300,7 @@ proto_read_attribute_array (p11_rpc_message *msg,
 		return PARSE_ERROR;
 
 	/* Allocate memory for the attribute structures */
-	attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE));
+	attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE));
 	if (attrs == NULL)
 		return CKR_DEVICE_MEMORY;
 

diff --git a/trust/index.c b/trust/index.c
@@ -273,7 +273,7 @@ bucket_insert (index_bucket *bucket,
 
 		alloc = alloc ? alloc * 2 : 1;
 		return_if_fail (alloc != 0);
-		elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE));
+		elem = reallocarray (bucket->elem, alloc, sizeof (CK_OBJECT_HANDLE));
 		return_if_fail (elem != NULL);
 		bucket->elem = elem;
 	}
@@ -297,7 +297,7 @@ bucket_push (index_bucket *bucket,
 
 		alloc = alloc ? alloc * 2 : 1;
 		return_val_if_fail (alloc != 0, false);
-		elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE));
+		elem = reallocarray (bucket->elem, alloc, sizeof (CK_OBJECT_HANDLE));
 		return_val_if_fail (elem != NULL, false);
 		bucket->elem = elem;
 	}