• Address concerns of Chris Palmer from the Android security team
– possible integer overflows in memory allocation, mostly ‣ multiplication: all are checked now ‣ addition: reviewed them, most were “proven” or guessed to be “almost” impossible to run over (e.g. when we have a string whose length is taken it is assumed that the length will be more than only a few bytes below SIZE_MAX, since code and stack have to fit); some are checked now (e.g. when one of the summands is an off_t); most of the unchecked ones are annotated now ⇒ cost (MirBSD/i386 static): +76 .text ⇒ cost (Debian sid/i386): +779 .text -4 .data – on Linux targets, setuid() setresuid() setresgid() can fail with EAGAIN; check for that and, if so, warn once and retry infinitely (other targets to be added later once we know that they are “insane”) ⇒ cost (Debian sid/i386): +192 .text (includes .rodata) • setmode.c: Do overflow checking for realloc() too; switch back from calloc() to a checked malloc() for simplification while there • define -DIN_MKSH and let setmode.c look a tad nicer while here
This commit is contained in:
8
tree.c
8
tree.c
@@ -22,7 +22,7 @@
|
||||
|
||||
#include "sh.h"
|
||||
|
||||
__RCSID("$MirOS: src/bin/mksh/tree.c,v 1.31 2010/08/28 20:22:24 tg Exp $");
|
||||
__RCSID("$MirOS: src/bin/mksh/tree.c,v 1.32 2010/09/14 21:26:19 tg Exp $");
|
||||
|
||||
#define INDENT 4
|
||||
|
||||
@@ -454,7 +454,7 @@ tcopy(struct op *t, Area *ap)
|
||||
else {
|
||||
for (tw = (const char **)t->vars; *tw++ != NULL; )
|
||||
;
|
||||
rw = r->vars = alloc((tw - (const char **)t->vars + 1) *
|
||||
rw = r->vars = alloc2(tw - (const char **)t->vars + 1,
|
||||
sizeof(*tw), ap);
|
||||
for (tw = (const char **)t->vars; *tw != NULL; )
|
||||
*rw++ = wdcopy(*tw++, ap);
|
||||
@@ -466,7 +466,7 @@ tcopy(struct op *t, Area *ap)
|
||||
else {
|
||||
for (tw = t->args; *tw++ != NULL; )
|
||||
;
|
||||
r->args = (const char **)(rw = alloc((tw - t->args + 1) *
|
||||
r->args = (const char **)(rw = alloc2(tw - t->args + 1,
|
||||
sizeof(*tw), ap));
|
||||
for (tw = t->args; *tw != NULL; )
|
||||
*rw++ = wdcopy(*tw++, ap);
|
||||
@@ -636,7 +636,7 @@ iocopy(struct ioword **iow, Area *ap)
|
||||
|
||||
for (ior = iow; *ior++ != NULL; )
|
||||
;
|
||||
ior = alloc((ior - iow + 1) * sizeof(struct ioword *), ap);
|
||||
ior = alloc2(ior - iow + 1, sizeof(struct ioword *), ap);
|
||||
|
||||
for (i = 0; iow[i] != NULL; i++) {
|
||||
struct ioword *p, *q;
|
||||
|
Reference in New Issue
Block a user