This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] vfprintf: validate nargs and positional offsets


Hi Paul,

On Fri, Feb 03, 2012 at 12:14:59PM -0800, Paul Eggert wrote:
> On 02/03/2012 01:12 AM, Kees Cook wrote:
> 
> > I felt it was better to take the entire allocation into account
> > instead of just the first one.
> 
> Something like that might work, but if the code computes just
> one size for checking, then it should do just one allocation.
> Otherwise, it's making unwarranted assumptions about how alloca works.
> 
> Joseph's suggestion re __libc_use_alloca seems like a good one here.
> You'll still need to do overflow checks when computing the sizes that
> you pass to alloca and/or malloc, but you can rely on __libc_use_alloca
> to decide between alloca and malloc.  vfprintf.c already does this elsewhere
> so you can use that code as a model.

Excellent, sounds good.

> > it seemed trivial to add the check so that if the behavior of
> > read_int or __parse_one_spec* ever changed, this portion of the code
> > would remain robust.
> 
> But it would be a bug if those other functions generated incorrect
> values for max_ref_arg.  Typically, each glibc module is written under
> the assumption that other glibc modules don't have bugs: this keeps
> the code simpler and easier to maintain, and thereby improves reliability.
> It also yields better performance.  So please omit these useless checks.

Fair enough. :) I'll get a new version up shortly...

-Kees

-- 
Kees Cook                                            @outflux.net


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]