JehanneOS/mksh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

• Address concerns of Chris Palmer from the Android security team

Browse Source 
– possible integer overflows in memory allocation, mostly
    ‣ multiplication: all are checked now
    ‣ addition: reviewed them, most were “proven” or guessed to be
      “almost” impossible to run over (e.g. when we have a string
      whose length is taken it is assumed that the length will be
      more than only a few bytes below SIZE_MAX, since code and
      stack have to fit); some are checked now (e.g. when one of
      the summands is an off_t); most of the unchecked ones are
      annotated now
    ⇒ cost (MirBSD/i386 static): +76 .text
    ⇒ cost (Debian sid/i386): +779 .text  -4 .data
  – on Linux targets, setuid() setresuid() setresgid() can fail
    with EAGAIN; check for that and, if so, warn once and retry
    infinitely (other targets to be added later once we know that
    they are “insane”)
    ⇒ cost (Debian sid/i386): +192 .text (includes .rodata)
• setmode.c: Do overflow checking for realloc() too; switch back
  from calloc() to a checked malloc() for simplification while there
• define -DIN_MKSH and let setmode.c look a tad nicer while here
This commit is contained in:
tg
2010-09-14 21:26:19 +00:00
parent 08862021ee
commit 667d792d6a
18 changed files with 204 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tree.c
View File

@@ -22,7 +22,7 @@
#include "sh.h"
__RCSID("$MirOS: src/bin/mksh/tree.c,v 1.31 2010/08/28 20:22:24 tg Exp $");
__RCSID("$MirOS: src/bin/mksh/tree.c,v 1.32 2010/09/14 21:26:19 tg Exp $");
#define INDENT 4
@@ -454,7 +454,7 @@ tcopy(struct op *t, Area *ap)
else {
for (tw = (const char **)t->vars; *tw++ != NULL; )
;
rw = r->vars = alloc((tw - (const char **)t->vars + 1) *
rw = r->vars = alloc2(tw - (const char **)t->vars + 1,
sizeof(*tw), ap);
for (tw = (const char **)t->vars; *tw != NULL; )
*rw++ = wdcopy(*tw++, ap);
@@ -466,7 +466,7 @@ tcopy(struct op *t, Area *ap)
else {
for (tw = t->args; *tw++ != NULL; )
;
r->args = (const char **)(rw = alloc((tw - t->args + 1) *
r->args = (const char **)(rw = alloc2(tw - t->args + 1,
sizeof(*tw), ap));
for (tw = t->args; *tw != NULL; )
*rw++ = wdcopy(*tw++, ap);
@@ -636,7 +636,7 @@ iocopy(struct ioword **iow, Area *ap)
for (ior = iow; *ior++ != NULL; )
;
ior = alloc((ior - iow + 1) * sizeof(struct ioword *), ap);
ior = alloc2(ior - iow + 1, sizeof(struct ioword *), ap);
for (i = 0; iow[i] != NULL; i++) {
struct ioword *p, *q;