When allocating an array, it is necessary to check that the
multiplication (to compute the size in bytes) does not overflow.
Do this in a new function safe_malloc_ary, which we call in both the
places where safe_malloc was previously used with an unchecked
multiplication.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
r=safe_malloc(sizeof(*r),"subnet_list_new:list");
r->entries=0;
r->alloc=DEFAULT_ALLOC;
r=safe_malloc(sizeof(*r),"subnet_list_new:list");
r->entries=0;
r->alloc=DEFAULT_ALLOC;
- r->list=safe_malloc(sizeof(*r->list)*r->alloc,"subnet_list_new:data");
+ r->list=safe_malloc_ary(sizeof(*r->list),r->alloc,"subnet_list_new:data");
/* All the networks serviced by the various tunnels should now
* have been registered. We build a routing table by sorting the
* clients by priority. */
/* All the networks serviced by the various tunnels should now
* have been registered. We build a routing table by sorting the
* clients by priority. */
- st->routes=safe_malloc(st->n_clients*sizeof(*st->routes),
- "netlink_phase_hook");
+ st->routes=safe_malloc_ary(sizeof(*st->routes),st->n_clients,
+ "netlink_phase_hook");
/* Fill the table */
i=0;
for (c=st->clients; c; c=c->next) {
/* Fill the table */
i=0;
for (c=st->clients; c; c=c->next) {
extern char *safe_strdup(const char *string, const char *message);
extern void *safe_malloc(size_t size, const char *message);
extern char *safe_strdup(const char *string, const char *message);
extern void *safe_malloc(size_t size, const char *message);
+extern void *safe_malloc_ary(size_t size, size_t count, const char *message);
extern int sys_cmd(const char *file, const char *argc, ...);
extern int sys_cmd(const char *file, const char *argc, ...);
+void *safe_malloc_ary(size_t size, size_t count, const char *message) {
+ if (count >= INT_MAX/size) {
+ fatal("array allocation overflow: %s", message);
+ }
+ return safe_malloc(size*count, message);
+}
/* Convert a buffer into its MP_INT representation */
void read_mpbin(MP_INT *a, uint8_t *bin, int binsize)
/* Convert a buffer into its MP_INT representation */
void read_mpbin(MP_INT *a, uint8_t *bin, int binsize)