This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] vfprintf: validate nargs and positional offsets
Hi Paul,
On Fri, Feb 03, 2012 at 12:14:59PM -0800, Paul Eggert wrote:
> On 02/03/2012 01:12 AM, Kees Cook wrote:
>
> > I felt it was better to take the entire allocation into account
> > instead of just the first one.
>
> Something like that might work, but if the code computes just
> one size for checking, then it should do just one allocation.
> Otherwise, it's making unwarranted assumptions about how alloca works.
>
> Joseph's suggestion re __libc_use_alloca seems like a good one here.
> You'll still need to do overflow checks when computing the sizes that
> you pass to alloca and/or malloc, but you can rely on __libc_use_alloca
> to decide between alloca and malloc. vfprintf.c already does this elsewhere
> so you can use that code as a model.
Excellent, sounds good.
> > it seemed trivial to add the check so that if the behavior of
> > read_int or __parse_one_spec* ever changed, this portion of the code
> > would remain robust.
>
> But it would be a bug if those other functions generated incorrect
> values for max_ref_arg. Typically, each glibc module is written under
> the assumption that other glibc modules don't have bugs: this keeps
> the code simpler and easier to maintain, and thereby improves reliability.
> It also yields better performance. So please omit these useless checks.
Fair enough. :) I'll get a new version up shortly...
-Kees
--
Kees Cook @outflux.net