diff options
| author | Rusty Russell <rusty@rustcorp.com.au> | 2014-06-10 14:39:34 +0930 |
|---|---|---|
| committer | Rusty Russell <rusty@rustcorp.com.au> | 2014-06-10 14:39:34 +0930 |
| commit | 36c52c260ed076d36a308dc4ea755f965abf0629 (patch) | |
| tree | 369d7bc8b6907c22db125b4c7e70be7926936b63 | |
| parent | 7207c7822bbe0deef98aa71a5b2e721be370b446 (diff) | |
tal/talloc: fix overflow on 64 bit systems
Arguably a bug in talloc_realloc_array, which uses an unsigned for
size, resulting in silent truncation and a memcpy into a too-small
buffer.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
| -rw-r--r-- | ccan/tal/talloc/talloc.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/ccan/tal/talloc/talloc.c b/ccan/tal/talloc/talloc.c index ad21b704..fbe9b384 100644 --- a/ccan/tal/talloc/talloc.c +++ b/ccan/tal/talloc/talloc.c @@ -141,6 +141,13 @@ bool tal_talloc_resize_(tal_t **ctxp, size_t size, size_t count) *ctxp = newp; return true; } + + /* count is unsigned, not size_t, so check for overflow here! */ + if ((unsigned)count != count) { + call_error("Resize overflos"); + return false; + } + newp = _talloc_realloc_array(NULL, *ctxp, size, count, NULL); if (!newp) { call_error("Resize failure"); |