Mercurial > dovecot > core-2.2

changeset 21323:d223fad9767f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
global: Make sure *_malloc() calculations won't cause integer overflows.
author Timo Sirainen <timo.sirainen@dovecot.fi>
date Mon, 12 Dec 2016 07:28:00 +0200
parents 5ab8dc1a4a6f
children ce210ada8bc2
files src/auth/auth-request-var-expand.c src/doveadm/doveadm-dump-index.c src/lib-imap/imap-utf7.c src/lib-index/mail-index-transaction-view.c src/lib-index/mail-index.c src/lib-master/master-login.c src/lib-program-client/program-client-local.c src/lib-storage/index/maildir/maildir-save.c src/lib-storage/index/pop3c/pop3c-sync.c src/lib-storage/mailbox-list.c src/lib/data-stack.c src/lib/hex-binary.c src/lib/str-find.c src/lib/strfuncs.c src/log/log-error-buffer.c src/plugins/acl/acl-cache.c src/plugins/acl/acl-cache.h src/pop3/pop3-client.h src/pop3/pop3-commands.c src/stats/mail-command.c src/stats/mail-domain.c src/stats/mail-ip.c src/stats/mail-session.c src/stats/mail-user.c
diffstat 24 files changed, 41 insertions(+), 35 deletions(-) [+]
line wrap: on
line diff
--- a/src/auth/auth-request-var-expand.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/auth/auth-request-var-expand.c	Mon Dec 12 07:28:00 2016 +0200
@@ -79,8 +79,8 @@
 
 	/* keep the extra fields at the beginning. the last static_tab field
 	   contains the ending NULL-fields. */
-	tab = ret_tab = t_malloc((*count + auth_count) * sizeof(*tab));
-	memset(tab, 0, *count * sizeof(*tab));
+	tab = ret_tab = t_new(struct var_expand_table,
+			      MALLOC_ADD(*count, auth_count));
 	tab += *count;
 	*count += auth_count;
 
--- a/src/doveadm/doveadm-dump-index.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/doveadm/doveadm-dump-index.c	Mon Dec 12 07:28:00 2016 +0200
@@ -212,7 +212,7 @@
 
 	/* add some padding, since we don't bother to handle undersized
 	   headers correctly */
-	buf = t_malloc0(ext->hdr_size + 128);
+	buf = t_malloc0(MALLOC_ADD(ext->hdr_size, 128));
 	data = CONST_PTR_OFFSET(index->map->hdr_base, ext->hdr_offset);
 	memcpy(buf, data, ext->hdr_size);
 	data = buf;
--- a/src/lib-imap/imap-utf7.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib-imap/imap-utf7.c	Mon Dec 12 07:28:00 2016 +0200
@@ -82,7 +82,7 @@
 
 	/* at least one encoded character */
 	str_append_n(dest, src, p-src);
-	utf16 = t_malloc(strlen(p)*2);
+	utf16 = t_malloc0(MALLOC_MULTIPLY(strlen(p), 2));
 	while (*p != '\0') {
 		if (*p == '&') {
 			str_append(dest, "&-");
--- a/src/lib-index/mail-index-transaction-view.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib-index/mail-index-transaction-view.c	Mon Dec 12 07:28:00 2016 +0200
@@ -113,8 +113,8 @@
 		tview->recs_count = t->first_new_seq;
 		tview->record_size = I_MAX(map->hdr.record_size,
 					   tview->view.map->hdr.record_size);
-		tview->recs = i_malloc(tview->record_size *
-				       tview->recs_count);
+		tview->recs = i_malloc(MALLOC_MULTIPLY(tview->record_size,
+						       tview->recs_count));
 		array_append(&tview->all_recs, &tview->recs, 1);
 	}
 	i_assert(tview->recs_count == t->first_new_seq);
--- a/src/lib-index/mail-index.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib-index/mail-index.c	Mon Dec 12 07:28:00 2016 +0200
@@ -347,8 +347,8 @@
 	}
 
 	/* @UNSAFE */
-	k = i_malloc(sizeof(struct mail_keywords) +
-		     (sizeof(k->idx) * (count-1)));
+	k = i_malloc(MALLOC_ADD(sizeof(struct mail_keywords),
+				MALLOC_MULTIPLY(sizeof(k->idx), (count-1))));
 	k->index = index;
 	k->refcount = 1;
 
@@ -387,8 +387,8 @@
 	}
 
 	/* @UNSAFE */
-	k = i_malloc(sizeof(struct mail_keywords) +
-		     (sizeof(k->idx) * (count-1)));
+	k = i_malloc(MALLOC_ADD(sizeof(struct mail_keywords),
+				MALLOC_MULTIPLY(sizeof(k->idx), (count-1))));
 	k->index = index;
 	k->refcount = 1;
 
--- a/src/lib-master/master-login.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib-master/master-login.c	Mon Dec 12 07:28:00 2016 +0200
@@ -423,7 +423,7 @@
 
 	/* @UNSAFE: we have a request. do userdb lookup for it. */
 	req.data_size -= i;
-	client = i_malloc(sizeof(struct master_login_client) + req.data_size);
+	client = i_malloc(MALLOC_ADD(sizeof(struct master_login_client), req.data_size));
 	client->conn = conn;
 	client->fd = client_fd;
 	client->auth_req = req;
--- a/src/lib-program-client/program-client-local.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib-program-client/program-client-local.c	Mon Dec 12 07:28:00 2016 +0200
@@ -167,9 +167,9 @@
 
 		efds = array_get_modifiable(&pclient->extra_fds, &xfd_count);
 		if (xfd_count > 0) {
-			parent_extra_fds = t_malloc0(sizeof(int) * xfd_count);
-			child_extra_fds =
-				t_malloc0(sizeof(int) * xfd_count * 2 + 1);
+			i_assert(xfd_count < INT_MAX);
+			parent_extra_fds = t_new(int, xfd_count);
+			child_extra_fds = t_new(int, xfd_count * 2 + 1);
 			for(i = 0; i < xfd_count; i++) {
 				if (pipe(extra_fd) < 0) {
 					i_error("pipe(extra=%d) failed: %m",
--- a/src/lib-storage/index/maildir/maildir-save.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib-storage/index/maildir/maildir-save.c	Mon Dec 12 07:28:00 2016 +0200
@@ -166,8 +166,8 @@
 	   into new/ or cur/. */
 	/* @UNSAFE */
 	keyword_count = mdata->keywords == NULL ? 0 : mdata->keywords->count;
-	mf = p_malloc(ctx->pool, sizeof(*mf) +
-		      sizeof(unsigned int) * keyword_count);
+	mf = p_malloc(ctx->pool, MALLOC_ADD(sizeof(*mf),
+		MALLOC_MULTIPLY(sizeof(unsigned int), keyword_count)));
 	mf->tmp_name = mf->dest_basename = p_strdup(ctx->pool, tmp_fname);
 	mf->flags = mdata->flags;
 	mf->size = (uoff_t)-1;
--- a/src/lib-storage/index/pop3c/pop3c-sync.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib-storage/index/pop3c/pop3c-sync.c	Mon Dec 12 07:28:00 2016 +0200
@@ -215,8 +215,10 @@
 	array_sort(&remote_msgs, pop3c_sync_msg_uidl_cmp);
 
 	/* skip over existing messages with matching UIDLs and expunge the ones
-	   that no longer exist in remote. (+1 to avoid malloc(0) assert) */
-	mbox->msg_uids = i_new(uint32_t, mbox->msg_count + 1);
+	   that no longer exist in remote. */
+	mbox->msg_uids = mbox->msg_count == 0 ?
+		i_new(uint32_t, 1) : /* avoid malloc(0) assert */
+		i_new(uint32_t, mbox->msg_count);
 	cache_trans = mail_cache_get_transaction(cache_view, sync_trans);
 
 	lmsg = array_get(&local_msgs, &lcount);
--- a/src/lib-storage/mailbox-list.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib-storage/mailbox-list.c	Mon Dec 12 07:28:00 2016 +0200
@@ -737,7 +737,7 @@
 	if (list_sep != ns_sep || prefix_len > 0) {
 		/* @UNSAFE */
 		name_len = strlen(vname);
-		ret = t_malloc(prefix_len + name_len + 1);
+		ret = t_malloc(MALLOC_ADD(prefix_len, name_len) + 1);
 		memcpy(ret, list->ns->prefix, prefix_len);
 		for (i = 0; i < name_len; i++) {
 			ret[i + prefix_len] =
--- a/src/lib/data-stack.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib/data-stack.c	Mon Dec 12 07:28:00 2016 +0200
@@ -322,8 +322,10 @@
 	size_t prev_size, alloc_size;
 
 	prev_size = current_block == NULL ? 0 : current_block->size;
-	alloc_size = nearest_power(prev_size + min_size);
+	alloc_size = nearest_power(MALLOC_ADD(prev_size, min_size));
 
+	/* nearest_power() returns 2^n values, so alloc_size can't be
+	   anywhere close to SIZE_MAX */
 #ifndef USE_GC
 	block = malloc(SIZEOF_MEMBLOCK + alloc_size);
 #else
--- a/src/lib/hex-binary.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib/hex-binary.c	Mon Dec 12 07:28:00 2016 +0200
@@ -28,7 +28,7 @@
 
 const char *binary_to_hex(const unsigned char *data, size_t size)
 {
-	unsigned char *dest = t_malloc(size * 2 + 1);
+	unsigned char *dest = t_malloc(MALLOC_MULTIPLY(size, 2) + 1);
 
 	binary_to_hex_case(dest, data, size, FALSE);
 	dest[size*2] = '\0';
@@ -37,7 +37,7 @@
 
 const char *binary_to_hex_ucase(const unsigned char *data, size_t size)
 {
-	unsigned char *dest = t_malloc(size * 2 + 1);
+	unsigned char *dest = t_malloc(MALLOC_MULTIPLY(size, 2) + 1);
 
 	binary_to_hex_case(dest, data, size, TRUE);
 	dest[size*2] = '\0';
--- a/src/lib/str-find.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib/str-find.c	Mon Dec 12 07:28:00 2016 +0200
@@ -83,8 +83,8 @@
 	i_assert(key_len > 0);
 	i_assert(key_len < INT_MAX);
 
-	ctx = p_malloc(pool, sizeof(struct str_find_context) +
-		       sizeof(ctx->goodtab[0]) * key_len);
+	ctx = p_malloc(pool, MALLOC_ADD(sizeof(struct str_find_context),
+		MALLOC_MULTIPLY(sizeof(ctx->goodtab[0]), key_len)));
 	ctx->pool = pool;
 	ctx->matches = p_new(pool, unsigned int, key_len);
 	ctx->key_len = key_len;
--- a/src/lib/strfuncs.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/lib/strfuncs.c	Mon Dec 12 07:28:00 2016 +0200
@@ -698,6 +698,7 @@
 	char *p;
 	size_t len, size = sizeof(const char *);
 
+	/* @UNSAFE: integer overflow checks are missing */
 	for (i = 0; arr[i] != NULL; i++)
 		size += sizeof(const char *) + strlen(arr[i]) + 1;
 
--- a/src/log/log-error-buffer.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/log/log-error-buffer.c	Mon Dec 12 07:28:00 2016 +0200
@@ -59,7 +59,8 @@
 		log_error_buffer_delete_head(buf);
 
 	/* @UNSAFE */
-	data = i_malloc(sizeof(*data) + prefix_size + text_size);
+	data = i_malloc(MALLOC_ADD(sizeof(*data),
+				   MALLOC_ADD(prefix_size, text_size)));
 	data->type = error->type;
 	data->timestamp = error->timestamp;
 	memcpy(data->prefix_text, error->prefix, prefix_size);
--- a/src/plugins/acl/acl-cache.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/plugins/acl/acl-cache.c	Mon Dec 12 07:28:00 2016 +0200
@@ -274,8 +274,8 @@
 
 	obj_cache = hash_table_lookup(cache->objects, objname);
 	if (obj_cache == NULL) {
-		obj_cache = i_malloc(sizeof(struct acl_object_cache) +
-				     cache->validity_rec_size);
+		obj_cache = i_malloc(MALLOC_ADD(sizeof(struct acl_object_cache),
+						cache->validity_rec_size));
 		obj_cache->name = i_strdup(objname);
 		hash_table_insert(cache->objects, obj_cache->name, obj_cache);
 		*created_r = TRUE;
--- a/src/plugins/acl/acl-cache.h	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/plugins/acl/acl-cache.h	Mon Dec 12 07:28:00 2016 +0200
@@ -14,7 +14,7 @@
 	unsigned char mask[1];
 };
 #define SIZEOF_ACL_MASK(bitmask_size) \
-	(sizeof(pool_t) + sizeof(unsigned int) + (bitmask_size))
+	(MALLOC_ADD(sizeof(pool_t) + sizeof(unsigned int), (bitmask_size)))
 
 struct acl_cache *acl_cache_init(struct acl_backend *backend,
 				 size_t validity_rec_size);
--- a/src/pop3/pop3-client.h	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/pop3/pop3-client.h	Mon Dec 12 07:28:00 2016 +0200
@@ -10,7 +10,7 @@
 typedef void command_func_t(struct client *client);
 
 #define MSGS_BITMASK_SIZE(client) \
-	(((client)->messages_count + (CHAR_BIT-1)) / CHAR_BIT)
+	(MALLOC_ADD((client)->messages_count, (CHAR_BIT-1)) / CHAR_BIT)
 
 /* Stop reading input when output buffer has this many bytes. Once the buffer
    size has dropped to half of it, start reading input again. */
--- a/src/pop3/pop3-commands.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/pop3/pop3-commands.c	Mon Dec 12 07:28:00 2016 +0200
@@ -827,7 +827,7 @@
 	}
 	/* map UIDLs to msgnums (in case POP3 sort ordering is different) */
 	client->message_uidls = p_new(client->uidl_pool, const char *,
-				      client->messages_count+1);
+				      MALLOC_ADD(client->messages_count, 1));
 	for (msgnum = 0; msgnum < client->messages_count; msgnum++) {
 		client->message_uidls[msgnum] =
 			seq_uidls[msgnum_to_seq(client, msgnum) - 1];
--- a/src/stats/mail-command.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/stats/mail-command.c	Mon Dec 12 07:28:00 2016 +0200
@@ -47,7 +47,7 @@
 {
 	struct mail_command *cmd;
 
-	cmd = i_malloc(sizeof(struct mail_command) + stats_alloc_size());
+	cmd = i_malloc(MALLOC_ADD(sizeof(struct mail_command), stats_alloc_size()));
 	cmd->stats = (void *)(cmd + 1);
 	cmd->refcount = 1; /* unrefed at "done" */
 	cmd->session = session;
--- a/src/stats/mail-domain.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/stats/mail-domain.c	Mon Dec 12 07:28:00 2016 +0200
@@ -28,7 +28,7 @@
 		return domain;
 	}
 
-	domain = i_malloc(sizeof(struct mail_domain) + stats_alloc_size());
+	domain = i_malloc(MALLOC_ADD(sizeof(struct mail_domain), stats_alloc_size()));
 	domain->stats = (void *)(domain + 1);
 	domain->name = i_strdup(name);
 	domain->reset_timestamp = ioloop_time;
--- a/src/stats/mail-ip.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/stats/mail-ip.c	Mon Dec 12 07:28:00 2016 +0200
@@ -31,7 +31,7 @@
 		return ip;
 	}
 
-	ip = i_malloc(sizeof(struct mail_ip) + stats_alloc_size());
+	ip = i_malloc(MALLOC_ADD(sizeof(struct mail_ip), stats_alloc_size()));
 	ip->stats = (void *)(ip + 1);
 	ip->ip = *ip_addr;
 	ip->reset_timestamp = ioloop_time;
--- a/src/stats/mail-session.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/stats/mail-session.c	Mon Dec 12 07:28:00 2016 +0200
@@ -97,7 +97,7 @@
 			session_id, args[1], args[2], (long)session->pid, (long)pid);
 		return -1;
 	}
-	session = i_malloc(sizeof(struct mail_session) + stats_alloc_size());
+	session = i_malloc(MALLOC_ADD(sizeof(struct mail_session), stats_alloc_size()));
 	session->stats = (void *)(session + 1);
 	session->refcount = 1; /* unrefed at disconnect */
 	session->id = i_strdup(session_id);
--- a/src/stats/mail-user.c	Mon Dec 12 07:19:55 2016 +0200
+++ b/src/stats/mail-user.c	Mon Dec 12 07:28:00 2016 +0200
@@ -39,7 +39,7 @@
 	else
 		domain = "";
 
-	user = i_malloc(sizeof(struct mail_user) + stats_alloc_size());
+	user = i_malloc(MALLOC_ADD(sizeof(struct mail_user), stats_alloc_size()));
 	user->stats = (void *)(user + 1);
 	user->name = i_strdup(username);
 	user->reset_timestamp = ioloop_time;