bin/53367: Integer overflow in usr.sbin/dumplfs

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/53367: Integer overflow in usr.sbin/dumplfs
From: thomas.barabosch%fkie.fraunhofer.de@localhost
Date: Fri, 15 Jun 2018 15:05:00 +0000 (UTC)

>Number:         53367
>Category:       bin
>Synopsis:       Integer overflow in usr.sbin/dumplfs
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 15 15:05:00 +0000 2018
>Originator:     Thomas Barabosch
>Release:        7.1.2
>Organization:
Fraunhofer FKIE
>Environment:
>Description:
There is a memory allocation in usr.sbin/dumplfs/dumplfs.c with malloc that utilizes multiplication. This is considered harmful and it is better to utilize calloc. Furthermore, there is a possible null pointer reference since malloc may fail to allocate memory but there is no check for a NULL return value.

I've drafted a patch as a possible solution to this issue.
>How-To-Repeat:

>Fix:
--- usr.sbin/dumplfs/dumplfs.c	2018-05-14 00:00:49.651718558 +0200
+++ usr.sbin/dumplfs/dumplfs.c.patched	2018-06-15 16:54:43.556979202 +0200
@@ -680,8 +680,8 @@
 	} else {
 		el_size = sizeof(u_int32_t);
 	}
-	datap = (char *)malloc(el_size * numblocks);
-	memset(datap, 0, el_size * numblocks);
+	if ((datap = (char *)calloc(numblocks, el_size)) == NULL)
+            err(1, "calloc");
 	acc = 0;
 	addr += lfs_btofsb(lfsp, lfs_sb_getsumsize(lfsp));
 	buf = malloc(lfs_sb_getbsize(lfsp));

Prev by Date: Re: bin/53365 (Potential memory leak in route6d)
Next by Date: bin/53368: Potential integer overflow in usr.bin/patch/inp.c
Previous by Thread: Re: bin/53365 (Potential memory leak in route6d)
Next by Thread: bin/53368: Potential integer overflow in usr.bin/patch/inp.c
Indexes:

Home | Main Index | Thread Index | Old Index