user/5069: realloc -> calloc in bgpd/session.c

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

user/5069: realloc -> calloc in bgpd/session.c

Alexander Farber
>Number:         5069
>Category:       user
>Synopsis:       Use calloc() instead of realloc() in bgpd/session.c
>Confidential:   yes
>Severity:       non-critical
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 04 09:50:01 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     A. Farber
>Release:        -current
>Organization:
net
>Environment:
       
        System      : OpenBSD 3.9
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
        Use calloc() instead of realloc() in /usr/src/usr.sbin/bgpd/session.c to prevent an integer overflow
>How-To-Repeat:
        n/a
>Fix:

--- session.c.OLD Tue Apr  4 10:35:24 2006
+++ session.c Tue Apr  4 10:40:25 2006
@@ -178,7 +178,6 @@
  struct pollfd *pfd = NULL;
  struct ctl_conn *ctl_conn;
  struct listen_addr *la;
- void *newp;
  short events;
 
  conf = config;
@@ -303,14 +302,14 @@
  }
 
  if (peer_cnt > peer_l_elms) {
- if ((newp = realloc(peer_l, sizeof(struct peer *) *
-    peer_cnt)) == NULL) {
+ free(peer_l);
+ if ((peer_l = calloc(peer_cnt, sizeof(*peer_l)))
+    == NULL) {
  /* panic for now  */
  log_warn("could not resize peer_l from %u -> %u"
     " entries", peer_l_elms, peer_cnt);
  fatalx("exiting");
  }
- peer_l = newp;
  peer_l_elms = peer_cnt;
  }
 
@@ -320,32 +319,30 @@
  mrt_cnt++;
 
  if (mrt_cnt > mrt_l_elms) {
- if ((newp = realloc(mrt_l, sizeof(struct mrt *) *
-    mrt_cnt)) == NULL) {
+ free(mrt_l);
+ if ((mrt_l = calloc(mrt_cnt, sizeof(*mrt_l)))
+    == NULL) {
  /* panic for now  */
  log_warn("could not resize mrt_l from %u -> %u"
     " entries", mrt_l_elms, mrt_cnt);
  fatalx("exiting");
  }
- mrt_l = newp;
  mrt_l_elms = mrt_cnt;
  }
 
  new_cnt = PFD_LISTENERS_START + listener_cnt + peer_cnt +
     ctl_cnt + mrt_cnt;
  if (new_cnt > pfd_elms) {
- if ((newp = realloc(pfd, sizeof(struct pollfd) *
-    new_cnt)) == NULL) {
+ free(pfd);
+ if ((pfd = calloc(new_cnt, sizeof(*pfd))) == NULL) {
  /* panic for now  */
  log_warn("could not resize pfd from %u -> %u"
     " entries", pfd_elms, new_cnt);
  fatalx("exiting");
  }
- pfd = newp;
  pfd_elms = new_cnt;
  }
 
- bzero(pfd, sizeof(struct pollfd) * pfd_elms);
  pfd[PFD_PIPE_MAIN].fd = ibuf_main->fd;
  pfd[PFD_PIPE_MAIN].events = POLLIN;
  if (ibuf_main->w.queued > 0)


>Release-Note:
>Audit-Trail:
>Unformatted: