File 0001-Check-for-arithmetic-overflows-before-allocating.patch of Package p11-kit.20937
From 6c1c94bd2360f5778beb397ba5508d5084b7f0ee Mon Sep 17 00:00:00 2001
From: David Cook <divergentdave@gmail.com>
Date: Sat, 7 Nov 2020 10:12:44 -0600
Subject: [PATCH] Check for arithmetic overflows before allocating
---
p11-kit/iter.c | 4 ++--
p11-kit/lists.c | 2 ++
p11-kit/proxy.c | 2 +-
p11-kit/rpc-message.c | 13 +++++++++++++
p11-kit/rpc-message.h | 4 ++++
p11-kit/rpc-server.c | 8 ++++----
trust/index.c | 4 ++--
7 files changed, 28 insertions(+), 9 deletions(-)
Index: p11-kit-0.23.2/p11-kit/iter.c
===================================================================
--- p11-kit-0.23.2.orig/p11-kit/iter.c
+++ p11-kit-0.23.2/p11-kit/iter.c
@@ -490,7 +490,7 @@ move_next_session (P11KitIter *iter)
if (rv != CKR_OK)
return finish_iterating (iter, rv);
- iter->slots = realloc (iter->slots, sizeof (CK_SLOT_ID) * (num_slots + 1));
+ iter->slots = reallocarray (iter->slots, (num_slots + 1), sizeof (CK_SLOT_ID) );
return_val_if_fail (iter->slots != NULL, CKR_HOST_MEMORY);
rv = (iter->module->C_GetSlotList) (CK_TRUE, iter->slots, &num_slots);
@@ -604,7 +604,7 @@ p11_kit_iter_next (P11KitIter *iter)
for (;;) {
if (iter->max_objects - iter->num_objects == 0) {
iter->max_objects = iter->max_objects ? iter->max_objects * 2 : 64;
- iter->objects = realloc (iter->objects, iter->max_objects * sizeof (CK_ULONG));
+ iter->objects = reallocarray (iter->objects, sizeof (CK_ULONG), iter->max_objects );
return_val_if_fail (iter->objects != NULL, CKR_HOST_MEMORY);
}
Index: p11-kit-0.23.2/p11-kit/lists.c
===================================================================
--- p11-kit-0.23.2.orig/p11-kit/lists.c
+++ p11-kit-0.23.2/p11-kit/lists.c
@@ -64,6 +64,8 @@ hex_encode (const unsigned char *data,
size_t i;
size_t o;
+ if ((SIZE_MAX - 1) / 3 < n_data)
+ return NULL;
result = malloc (n_data * 3 + 1);
if (result == NULL)
return NULL;
Index: p11-kit-0.23.2/p11-kit/proxy.c
===================================================================
--- p11-kit-0.23.2.orig/p11-kit/proxy.c
+++ p11-kit-0.23.2/p11-kit/proxy.c
@@ -287,7 +287,7 @@ proxy_create (Proxy **res)
return_val_if_fail (count == 0 || slots != NULL, CKR_GENERAL_ERROR);
- py->mappings = realloc (py->mappings, sizeof (Mapping) * (py->n_mappings + count));
+ py->mappings = reallocarray (py->mappings, (py->n_mappings + count), sizeof (Mapping) );
return_val_if_fail (py->mappings != NULL, CKR_HOST_MEMORY);
/* And now add a mapping for each of those slots */
Index: p11-kit-0.23.2/p11-kit/rpc-message.c
===================================================================
--- p11-kit-0.23.2.orig/p11-kit/rpc-message.c
+++ p11-kit-0.23.2/p11-kit/rpc-message.c
@@ -42,6 +42,7 @@
#include "rpc-message.h"
#include <assert.h>
+#include <errno.h>
#include <string.h>
void
@@ -111,6 +112,18 @@ p11_rpc_message_alloc_extra (p11_rpc_mes
return (void *)(data + 1);
}
+void *
+p11_rpc_message_alloc_extra_array (p11_rpc_message *msg,
+ size_t nmemb,
+ size_t size)
+{
+ if ((SIZE_MAX - sizeof (void *)) / nmemb < size) {
+ errno = ENOMEM;
+ return NULL;
+ }
+ return p11_rpc_message_alloc_extra (msg, nmemb * size);
+}
+
bool
p11_rpc_message_prep (p11_rpc_message *msg,
int call_id,
Index: p11-kit-0.23.2/p11-kit/rpc-message.h
===================================================================
--- p11-kit-0.23.2.orig/p11-kit/rpc-message.h
+++ p11-kit-0.23.2/p11-kit/rpc-message.h
@@ -243,6 +243,10 @@ void p11_rpc_message_clear
void * p11_rpc_message_alloc_extra (p11_rpc_message *msg,
size_t length);
+void * p11_rpc_message_alloc_extra_array (p11_rpc_message *msg,
+ size_t nmemb,
+ size_t size);
+
bool p11_rpc_message_prep (p11_rpc_message *msg,
int call_id,
p11_rpc_message_type type);
Index: p11-kit-0.23.2/p11-kit/rpc-server.c
===================================================================
--- p11-kit-0.23.2.orig/p11-kit/rpc-server.c
+++ p11-kit-0.23.2/p11-kit/rpc-server.c
@@ -83,7 +83,7 @@ proto_read_byte_buffer (p11_rpc_message
if (length == 0)
return CKR_OK;
- *buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_BYTE));
+ *buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_BYTE));
if (*buffer == NULL)
return CKR_DEVICE_MEMORY;
@@ -181,7 +181,7 @@ proto_read_ulong_buffer (p11_rpc_message
if (length == 0)
return CKR_OK;
- *buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_ULONG));
+ *buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_ULONG));
if (!*buffer)
return CKR_DEVICE_MEMORY;
@@ -241,7 +241,7 @@ proto_read_attribute_buffer (p11_rpc_mes
return PARSE_ERROR;
/* Allocate memory for the attribute structures */
- attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE));
+ attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE));
if (attrs == NULL)
return CKR_DEVICE_MEMORY;
@@ -299,7 +299,7 @@ proto_read_attribute_array (p11_rpc_mess
return PARSE_ERROR;
/* Allocate memory for the attribute structures */
- attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE));
+ attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE));
if (attrs == NULL)
return CKR_DEVICE_MEMORY;
Index: p11-kit-0.23.2/trust/index.c
===================================================================
--- p11-kit-0.23.2.orig/trust/index.c
+++ p11-kit-0.23.2/trust/index.c
@@ -263,7 +263,7 @@ bucket_insert (index_bucket *bucket,
if (bucket->num + 1 > alloc) {
alloc = alloc ? alloc * 2 : 1;
return_if_fail (alloc != 0);
- bucket->elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE));
+ bucket->elem = reallocarray (bucket->elem, sizeof (CK_OBJECT_HANDLE), alloc);
}
return_if_fail (bucket->elem != NULL);
@@ -283,7 +283,7 @@ bucket_push (index_bucket *bucket,
if (bucket->num + 1 > alloc) {
alloc = alloc ? alloc * 2 : 1;
return_val_if_fail (alloc != 0, false);
- bucket->elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE));
+ bucket->elem = reallocarray (bucket->elem, sizeof (CK_OBJECT_HANDLE), alloc);
}
return_val_if_fail (bucket->elem != NULL, false);
