[PATCH] Fix calloc() behaviour in case of overflow
Sebastian Huber
sebastian.huber at embedded-brains.de
Tue Apr 20 18:33:19 UTC 2021
The multiplication to calculate the length of the memory area to
allocate may overflow. Return NULL in case of an overflow.
Close #4389.
---
cpukit/libcsupport/src/calloc.c | 13 ++++++++++++-
cpukit/libcsupport/src/rtemscalloc.c | 9 ++++++++-
testsuites/libtests/malloctest/init.c | 23 +++++++++++++----------
3 files changed, 33 insertions(+), 12 deletions(-)
diff --git a/cpukit/libcsupport/src/calloc.c b/cpukit/libcsupport/src/calloc.c
index e015f30d6c..693aa21453 100644
--- a/cpukit/libcsupport/src/calloc.c
+++ b/cpukit/libcsupport/src/calloc.c
@@ -20,7 +20,10 @@
#if defined(RTEMS_NEWLIB) && !defined(HAVE_CALLOC)
#include <stdlib.h>
+
+#include <errno.h>
#include <string.h>
+
#include <rtems/score/basedefs.h>
void *calloc(
@@ -31,7 +34,15 @@ void *calloc(
void *cptr;
size_t length;
- length = nelem * elsize;
+ if ( nelem == 0 ) {
+ length = 0;
+ } else if ( elsize > SIZE_MAX / nelem ) {
+ errno = ENOMEM;
+ return NULL;
+ } else {
+ length = nelem * elsize;
+ }
+
cptr = malloc( length );
RTEMS_OBFUSCATE_VARIABLE( cptr );
if ( RTEMS_PREDICT_FALSE( cptr == NULL ) ) {
diff --git a/cpukit/libcsupport/src/rtemscalloc.c b/cpukit/libcsupport/src/rtemscalloc.c
index 4e189e8367..836f1da64d 100644
--- a/cpukit/libcsupport/src/rtemscalloc.c
+++ b/cpukit/libcsupport/src/rtemscalloc.c
@@ -46,7 +46,14 @@ void *rtems_calloc( size_t nelem, size_t elsize )
size_t length;
void *p;
- length = nelem * elsize;
+ if ( nelem == 0 ) {
+ length = 0;
+ } else if ( elsize > SIZE_MAX / nelem ) {
+ return NULL;
+ } else {
+ length = nelem * elsize;
+ }
+
p = rtems_malloc( length );
RTEMS_OBFUSCATE_VARIABLE( p );
if ( RTEMS_PREDICT_FALSE( p == NULL ) ) {
diff --git a/testsuites/libtests/malloctest/init.c b/testsuites/libtests/malloctest/init.c
index 1d91385683..4d0f421c02 100644
--- a/testsuites/libtests/malloctest/init.c
+++ b/testsuites/libtests/malloctest/init.c
@@ -1190,6 +1190,14 @@ static void test_rtems_calloc(void)
rtems_test_assert(p == NULL);
rtems_test_assert(errno == 0);
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Walloc-size-larger-than=N"
+ errno = 0;
+ p = rtems_calloc(SIZE_MAX, SIZE_MAX);
+ rtems_test_assert(p == NULL);
+ rtems_test_assert(errno == 0);
+#pragma GCC diagnostic pop
+
i = rtems_calloc(1, sizeof(*i));
rtems_test_assert(i != NULL);
rtems_test_assert(*i == 0);
@@ -1313,22 +1321,17 @@ rtems_task Init(
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Walloc-size-larger-than=N"
p1 = calloc( 1, SIZE_MAX );
+ rtems_test_assert( p1 == NULL );
+
+ p1 = calloc( SIZE_MAX, SIZE_MAX );
+ rtems_test_assert( p1 == NULL );
#pragma GCC diagnostic pop
- if (p1) {
- printf("ERROR on attempt to calloc SIZE_MAX block expected failure.");
- free( p1 );
- }
/*
* Verify error case where malloc of size 0.
*/
p1 = malloc( 0 );
- if (p1) {
- printf("ERROR on attempt to malloc size 0 block expected failure.");
- free( p1 );
- }
-
-
+ rtems_test_assert( p1 == NULL );
test_heap_initialize();
test_heap_block_allocate();
--
2.26.2
More information about the devel
mailing list