memory: check for overflow when (re)allocating array

When (re)allocating an array with very large number of elements using the MallocArray or ReallocArray macros, the calculated size of the array could overflow size_t and less memory would be allocated than requested. Add new functions for (re)allocating arrays that check the size and use them in the MallocArray and ReallocArray macros. This couldn't be exploited, because all arrays that can grow with cmdmon or NTP requests already have their size checked before allocation, or they are much smaller than memory allocated for structures to which they are related (i.e. ntp_core and sourcestats instances), so a memory allocation would fail before their size could overflow. This issue was found in an audit performed by Cure53 and sponsored by Mozilla.
2025-12-03 17:55:07 -05:00 · 2017-08-24 12:10:46 +02:00
parent f40b0024bd
commit 7ffee73524
3 changed files with 31 additions and 8 deletions
--- a/memory.h
+++ b/memory.h
@@ -30,12 +30,14 @@
 /* Wrappers checking for errors */
 extern void *Malloc(size_t size);
 extern void *Realloc(void *ptr, size_t size);
+extern void *Malloc2(size_t nmemb, size_t size);
+extern void *Realloc2(void *ptr, size_t nmemb, size_t size);
 extern char *Strdup(const char *s);

 /* Convenient macros */
 #define MallocNew(T) ((T *) Malloc(sizeof(T)))
-#define MallocArray(T, n) ((T *) Malloc((n) * sizeof(T)))
-#define ReallocArray(T,n,x) ((T *) Realloc((void *)(x), (n)*sizeof(T)))
+#define MallocArray(T, n) ((T *) Malloc2(n, sizeof(T)))
+#define ReallocArray(T, n, x) ((T *) Realloc2((void *)(x), n, sizeof(T)))
 #define Free(x) free(x)

 #endif /* GOT_MEMORY_H */