tal/talloc: fix overflow on 64 bit systems
authorRusty Russell <rusty@rustcorp.com.au>
Tue, 10 Jun 2014 05:09:34 +0000 (14:39 +0930)
committerRusty Russell <rusty@rustcorp.com.au>
Tue, 10 Jun 2014 05:09:34 +0000 (14:39 +0930)
Arguably a bug in talloc_realloc_array, which uses an unsigned for
size, resulting in silent truncation and a memcpy into a too-small
buffer.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
ccan/tal/talloc/talloc.c

index ad21b704d2acc5a0e9b386ce6288500614160d81..fbe9b38474e923610bdcfefb39afee113d5ebcdc 100644 (file)
@@ -141,6 +141,13 @@ bool tal_talloc_resize_(tal_t **ctxp, size_t size, size_t count)
                *ctxp = newp;
                return true;
        }
+
+       /* count is unsigned, not size_t, so check for overflow here! */
+       if ((unsigned)count != count) {
+               call_error("Resize overflos");
+               return false;
+       }
+
        newp = _talloc_realloc_array(NULL, *ctxp, size, count, NULL);
        if (!newp) {
                call_error("Resize failure");