library/4603: <synopsis of the problem (one line)>
>Synopsis: <synopsis of the problem (one line)>
>Arrival-Date: Mon Nov 07 14:00:01 GMT 2005
>Originator: Michael Shuldman
>Release: <release number or tag (one line)>
Inferno Nettverk A/S, Oslo, Norway; http://www.inet.no >Environment:
<machine, os, target, libraries (multiple lines)>
System : OpenBSD 3.7
Machine : i386
lib/libwrap/rfc931.c allocates memory for the fd_set with
calloc(3), but it later uses FD_ZERO() to zero the fd_set.
When less than sizeof(struct fd_set) gets allocated for
the fd_set, FD_ZERO() copies beyond the allocated memory,
and at best a segmentation-fault will occur.
<code/input/activities to reproduce the problem (multiple lines)>
> The following reply was made to PR library/4603; it has been noted by GNATS.
> From: Michael Shuldman <[hidden email]>
> To: Otto Moerbeek <[hidden email]>
> Cc: [hidden email], [hidden email] > Subject: Re: library/4603: <synopsis of the problem (one line)>
> Date: Thu, 10 Nov 2005 12:16:07 +0100
> Otto Moerbeek wrote,
> > On Mon, 7 Nov 2005, Michael Shuldman wrote:
> > > >Number: 4603
> > > >Category: library
> > > >Synopsis: <synopsis of the problem (one line)>
> > I think this is slighly better. It uses size_t for sizes and makes use
> > of calloc's int overflow detection.
> Yes, size_t is better, but I think one should use malloc(3) instead
> of calloc(3), since the fd_set is zero'ed manually inside the loop
> before usage anyway.
I do not agree. Using calloc(3) gets you the overflow check. The extra
zero'ing does not matter that much. Probably the memset can be moved
to the end of the loop, but I'd like to focus on the bug only for now.