This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] vfprintf: validate nargs and positional offsets


On 02/03/2012 01:12 AM, Kees Cook wrote:

> I felt it was better to take the entire allocation into account
> instead of just the first one.

Something like that might work, but if the code computes just
one size for checking, then it should do just one allocation.
Otherwise, it's making unwarranted assumptions about how alloca works.

Joseph's suggestion re __libc_use_alloca seems like a good one here.
You'll still need to do overflow checks when computing the sizes that
you pass to alloca and/or malloc, but you can rely on __libc_use_alloca
to decide between alloca and malloc.  vfprintf.c already does this elsewhere
so you can use that code as a model.

> it seemed trivial to add the check so that if the behavior of
> read_int or __parse_one_spec* ever changed, this portion of the code
> would remain robust.

But it would be a bug if those other functions generated incorrect
values for max_ref_arg.  Typically, each glibc module is written under
the assumption that other glibc modules don't have bugs: this keeps
the code simpler and easier to maintain, and thereby improves reliability.
It also yields better performance.  So please omit these useless checks.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]