Menu
▾
▴
Re: alloca and stack overflow
|
From: Sam S. <sd...@gn...> - 2016-08-31 14:01:55
|
> * Daniel Jour <qna...@tz...> [2016-08-31 13:57:12 +0200]:
>
>> Let us revisit this issue at a later date.
>> I think the with_string_0 mechanism is good enough.
>> If disagree, you will have to argue for it to be changed pervasively
>> throughout CLISP.
>
> with_string_0 is not involved here. I'm concerned by this (from regexi.c):
>
> begin_system_call();
> ret = (regmatch_t*)alloca((re->re_nsub+1)*sizeof(regmatch_t));
> end_system_call();
>
> re->re_nsub is the number of subexpressions, and if the regex is in
> anyway "modifyable" by a malicious actor (e.g. a POST parameter for a
> search field), then that actor could pass a regex with lots of
> subexpressions, thus causing above alloca to produce a stack overflow
> (in the best case).
I see.
We should handle it the same way we do in
clisp/modules/syscalls/calls.c:CONFSTR:
--8<---------------cut here---------------start------------->8---
#define CS_S(cmd) \
begin_system_call(); res = confstr(cmd,buf,BUFSIZ); end_system_call(); \
if (res == 0) value1 = T; \
else if (res <= BUFSIZ) value1 = asciz_to_string(buf,GLO(misc_encoding)); \
else { \
/* Here we cannot use alloca(), because alloca() is generally unsafe \
for sizes > BUFSIZ. */ \
char *tmp = (char*)clisp_malloc(res); \
begin_system_call(); \
confstr(cmd,tmp,res); \
end_system_call(); \
/* FIXME: asciz_to_string may signal an error in which case tmp leaks */ \
value1 = asciz_to_string(tmp,GLO(misc_encoding)); \
begin_system_call(); \
free(tmp); \
end_system_call(); \
}
--8<---------------cut here---------------end--------------->8---
--
Sam Steingold (http://sds.podval.org/) on darwin Ns 10.3.1404
http://www.childpsy.net/ http://islamexposedonline.com
http://iris.org.il http://thereligionofpeace.com http://camera.org
The dark past once was the bright future.
|
