From bb9d056157e37451ec14800d5914733a625f1901 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sun, 12 Jun 2011 22:28:33 +0100
Subject: [PATCH] integer and buffer overflows: introduce safe_malloc_ary

When allocating an array, it is necessary to check that the
multiplication (to compute the size in bytes) does not overflow.

Do this in a new function safe_malloc_ary, which we call in both the
places where safe_malloc was previously used with an unchecked
multiplication.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 ipaddr.c  | 2 +-
 netlink.c | 4 ++--
 secnet.h  | 1 +
 util.c    | 6 ++++++
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/ipaddr.c b/ipaddr.c
index 433db62..8de384b 100644
--- a/ipaddr.c
+++ b/ipaddr.c
@@ -17,7 +17,7 @@ struct subnet_list *subnet_list_new(void)
     r=safe_malloc(sizeof(*r),"subnet_list_new:list");
     r->entries=0;
     r->alloc=DEFAULT_ALLOC;
-    r->list=safe_malloc(sizeof(*r->list)*r->alloc,"subnet_list_new:data");
+    r->list=safe_malloc_ary(sizeof(*r->list),r->alloc,"subnet_list_new:data");
     return r;
 }
 
diff --git a/netlink.c b/netlink.c
index f6d4e72..70eb928 100644
--- a/netlink.c
+++ b/netlink.c
@@ -768,8 +768,8 @@ static void netlink_phase_hook(void *sst, uint32_t new_phase)
     /* All the networks serviced by the various tunnels should now
      * have been registered.  We build a routing table by sorting the
      * clients by priority.  */
-    st->routes=safe_malloc(st->n_clients*sizeof(*st->routes),
-			   "netlink_phase_hook");
+    st->routes=safe_malloc_ary(sizeof(*st->routes),st->n_clients,
+			       "netlink_phase_hook");
     /* Fill the table */
     i=0;
     for (c=st->clients; c; c=c->next) {
diff --git a/secnet.h b/secnet.h
index 3f32302..18500c5 100644
--- a/secnet.h
+++ b/secnet.h
@@ -144,6 +144,7 @@ extern uint32_t string_list_to_word(list_t *l, struct flagstr *f,
 
 extern char *safe_strdup(const char *string, const char *message);
 extern void *safe_malloc(size_t size, const char *message);
+extern void *safe_malloc_ary(size_t size, size_t count, const char *message);
 
 extern int sys_cmd(const char *file, const char *argc, ...);
 
diff --git a/util.c b/util.c
index 86a9cd8..44a45e5 100644
--- a/util.c
+++ b/util.c
@@ -74,6 +74,12 @@ void *safe_malloc(size_t size, const char *message)
     }
     return r;
 }
+void *safe_malloc_ary(size_t size, size_t count, const char *message) {
+    if (count >= INT_MAX/size) {
+	fatal("array allocation overflow: %s", message);
+    }
+    return safe_malloc(size*count, message);
+}
 
 /* Convert a buffer into its MP_INT representation */
 void read_mpbin(MP_INT *a, uint8_t *bin, int binsize)
-- 
2.30.2