svn commit: r265367 - head/lib/libc/regex

[Andrey Chernov]

On 06.05.2014 2:12, David Chisnall wrote:
> On 5 May 2014, at 22:51, Andrey Chernov <ache at freebsd.org> wrote:
> 
>> For standard malloc/realloc interface it is up to the caller to check
>> n*size not overflows. You must trust caller already does such check.
> 
> Do a search of the CVE database sometime to see how well placed that trust generally is.  Or even look at the code in question, where none of the realloc() or malloc() calls does overflow checking.

I know current situation and disagree with OpenBSD way to fix it. Public
interface assumes that caller should be trusted. Period. How well it is
really trusted is up to the caller and should be fixed in it clearly,
allowing human to trace the logic.

>> Using calloc() to enforce it instead of caller is semantically wrong,
> 
> Relying on a standard function to behave according to the standard is semantically wrong?

Yes. Generally it is using a function outside of its purpose. I.e. you
can use calloc() just to check n*size and nothing else (free() result
immediately afterwards) instead of writing just single check by
yourself. It will be legal usage but semantically wrong and misleading.

>> and especially strange when the caller is standard C library under your
>> control.
> 
> I don't follow this.  If libc can't rely on standards conformance from itself then other code stands no chance.

Libc here is the caller which is well under control because of the same
codebase. It means that n*size check can be easily added before malloc
call instead of using side effects with hidden logic.

As I mention initially, literal enough checks is what we need to make
logic clear. In the case we discuss realloc() can be changed by
reallocf() which does n*size and NULL checks and literal "if" should be
added before malloc() to check overflow.

-- 
http://ache.vniz.net/