This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Check for overflow in __alloc_dir
On 10/11/2012 10:17 PM, Roland McGrath wrote:
If st_blksize might ever be any kind of bogus, then I think it's better
just to cap it to some reasonable maximum (maybe a megabyte or two?).
Good idea. What about this? Manual testing shows that the large malloc
attempt is gone, and there are no regressions.
--
Florian Weimer / Red Hat Product Security Team
2012-10-12 Florian Weimer <fweimer@redhat.com>
[BZ #14700]
* sysdeps/posix/opendir.c (__alloc_dir): Ignore bogus
statp->st_blksize values.
diff --git a/sysdeps/posix/opendir.c b/sysdeps/posix/opendir.c
index e093142..937575a 100644
--- a/sysdeps/posix/opendir.c
+++ b/sysdeps/posix/opendir.c
@@ -1,5 +1,4 @@
-/* Copyright (C) 1991-1996,98,2000-2003,2005,2007,2009,2011
- Free Software Foundation, Inc.
+/* Copyright (C) 1991-2012 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
@@ -192,8 +191,11 @@ __alloc_dir (int fd, bool close_fd, int flags, const struct stat64 *statp)
? sizeof (struct dirent64) : BUFSIZ);
size_t allocation = default_allocation;
#ifdef _STATBUF_ST_BLKSIZE
- if (statp != NULL && default_allocation < statp->st_blksize)
- allocation = statp->st_blksize;
+ /* Increase allocation if requested, but not if the value appears to
+ be bogus. */
+ if (statp != NULL && default_allocation < (size_t) statp->st_blksize
+ && (size_t) statp->st_blksize < 1024U * 1024U)
+ allocation = statp->st_blksize;
#endif
DIR *dirp = (DIR *) malloc (sizeof (DIR) + allocation);