1 From: Ulrich Drepper <drepper@gmail.com>
2 Date: Mon, 23 May 2011 03:04:16 +0000 (-0400)
3 Subject: Add a few more alloca size checks
4 X-Git-Tag: glibc-2.14~41
5 X-Git-Url: http://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=f2962a71959fd254a7a223437ca4b63b9e81130c
7 Add a few more alloca size checks
10 2011-05-22 Ulrich Drepper <drepper@gmail.com>
13 * nis/nss_nis/nis-alias.c (_nss_nis_getaliasbyname_r): Use malloc in
15 * nscd/nscd_getserv_r.c (nscd_getserv_r): Likewise.
16 * posix/glob.c (glob_in_dir): Take additional parameter alloca_used.
17 add in in __libc_use_alloca calls. Adjust callers.
18 (glob): Use malloc in some situations.
19 diff --git a/nis/nss_nis/nis-alias.c b/nis/nss_nis/nis-alias.c
20 index 9286e36..cfe4097 100644
21 --- a/nis/nss_nis/nis-alias.c
22 +++ b/nis/nss_nis/nis-alias.c
24 -/* Copyright (C) 1996-2002, 2003, 2006 Free Software Foundation, Inc.
25 +/* Copyright (C) 1996-2002, 2003, 2006, 2011 Free Software Foundation, Inc.
26 This file is part of the GNU C Library.
27 Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
29 @@ -142,10 +142,10 @@ internal_nis_getaliasent_r (struct aliasent *alias, char *buffer,
33 - yperr = yp_first (domain, "mail.aliases", &outkey, &keylen, &result,
34 + yperr = yp_first (domain, "mail.aliases", &outkey, &keylen, &result,
37 - yperr = yp_next (domain, "mail.aliases", oldkey, oldkeylen, &outkey,
38 + yperr = yp_next (domain, "mail.aliases", oldkey, oldkeylen, &outkey,
39 &keylen, &result, &len);
41 if (__builtin_expect (yperr != YPERR_SUCCESS, 0))
42 @@ -153,20 +153,20 @@ internal_nis_getaliasent_r (struct aliasent *alias, char *buffer,
43 enum nss_status retval = yperr2nss (yperr);
45 if (retval == NSS_STATUS_TRYAGAIN)
53 if (__builtin_expect ((size_t) (len + 1) > buflen, 0))
58 - return NSS_STATUS_TRYAGAIN;
61 + return NSS_STATUS_TRYAGAIN;
63 char *p = strncpy (buffer, result, len);
70 parse_res = _nss_nis_parse_aliasent (outkey, p, alias, buffer,
71 @@ -213,13 +213,25 @@ _nss_nis_getaliasbyname_r (const char *name, struct aliasent *alias,
72 return NSS_STATUS_UNAVAIL;
75 - size_t namlen = strlen (name);
76 - char name2[namlen + 1];
79 if (__builtin_expect (yp_get_default_domain (&domain), 0))
80 return NSS_STATUS_UNAVAIL;
82 + size_t namlen = strlen (name);
84 + int use_alloca = __libc_use_alloca (namlen + 1);
86 + name2 = __alloca (namlen + 1);
89 + name2 = malloc (namlen + 1);
93 + return NSS_STATUS_TRYAGAIN;
97 /* Convert name to lowercase. */
99 for (i = 0; i < namlen; ++i)
100 @@ -230,6 +242,9 @@ _nss_nis_getaliasbyname_r (const char *name, struct aliasent *alias,
102 int yperr = yp_match (domain, "mail.aliases", name2, namlen, &result, &len);
107 if (__builtin_expect (yperr != YPERR_SUCCESS, 0))
109 enum nss_status retval = yperr2nss (yperr);
110 diff --git a/nscd/nscd_getserv_r.c b/nscd/nscd_getserv_r.c
111 index dce4165..de96a57 100644
112 --- a/nscd/nscd_getserv_r.c
113 +++ b/nscd/nscd_getserv_r.c
115 -/* Copyright (C) 2007, 2009 Free Software Foundation, Inc.
116 +/* Copyright (C) 2007, 2009, 2011 Free Software Foundation, Inc.
117 This file is part of the GNU C Library.
118 Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
121 Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
127 #include <not-cancel.h>
128 @@ -80,6 +81,7 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
132 + size_t alloca_used = 0;
134 /* If the mapping is available, try to search there instead of
135 communicating with the nscd. */
136 @@ -88,13 +90,23 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
138 size_t protolen = proto == NULL ? 0 : strlen (proto);
139 size_t keylen = critlen + 1 + protolen + 1;
140 - char *key = alloca (keylen);
141 + int alloca_key = __libc_use_alloca (keylen);
144 + key = alloca_account (keylen, alloca_used);
147 + key = malloc (keylen);
151 memcpy (__mempcpy (__mempcpy (key, crit, critlen),
152 "/", 1), proto ?: "", protolen + 1);
155 const char *s_name = NULL;
156 const char *s_proto = NULL;
157 + int alloca_aliases_len = 0;
158 const uint32_t *aliases_len = NULL;
159 const char *aliases_list = NULL;
161 @@ -136,8 +148,22 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
162 if (((uintptr_t) aliases_len & (__alignof__ (*aliases_len) - 1))
165 - uint32_t *tmp = alloca (serv_resp.s_aliases_cnt
166 - * sizeof (uint32_t));
169 + = __libc_use_alloca (alloca_used
170 + + (serv_resp.s_aliases_cnt
171 + * sizeof (uint32_t)));
172 + if (alloca_aliases_len)
173 + tmp = __alloca (serv_resp.s_aliases_cnt * sizeof (uint32_t));
176 + tmp = malloc (serv_resp.s_aliases_cnt * sizeof (uint32_t));
183 aliases_len = memcpy (tmp, aliases_len,
184 serv_resp.s_aliases_cnt
185 * sizeof (uint32_t));
186 @@ -217,8 +243,24 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
188 if (serv_resp.s_aliases_cnt > 0)
190 - aliases_len = alloca (serv_resp.s_aliases_cnt
191 - * sizeof (uint32_t));
192 + assert (alloca_aliases_len == 0);
194 + = __libc_use_alloca (alloca_used
195 + + (serv_resp.s_aliases_cnt
196 + * sizeof (uint32_t)));
197 + if (alloca_aliases_len)
198 + aliases_len = alloca (serv_resp.s_aliases_cnt
199 + * sizeof (uint32_t));
202 + aliases_len = malloc (serv_resp.s_aliases_cnt
203 + * sizeof (uint32_t));
204 + if (aliases_len == NULL)
210 vec[n].iov_base = (void *) aliases_len;
211 vec[n].iov_len = serv_resp.s_aliases_cnt * sizeof (uint32_t);
213 @@ -329,5 +371,10 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
217 + if (!alloca_aliases_len)
218 + free ((void *) aliases_len);
224 diff --git a/posix/glob.c b/posix/glob.c
225 index 6df083a..79b6e50 100644
229 -/* Copyright (C) 1991-2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010
230 +/* Copyright (C) 1991-2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010, 2011
231 Free Software Foundation, Inc.
232 This file is part of the GNU C Library.
234 @@ -199,7 +199,7 @@ static const char *next_brace_sub (const char *begin, int flags) __THROW;
236 static int glob_in_dir (const char *pattern, const char *directory,
237 int flags, int (*errfunc) (const char *, int),
239 + glob_t *pglob, size_t alloca_used);
240 extern int __glob_pattern_type (const char *pattern, int quote)
243 @@ -253,13 +253,18 @@ glob (pattern, flags, errfunc, pglob)
246 const char *filename;
247 - const char *dirname;
248 + char *dirname = NULL;
253 int dirname_modified;
254 + int malloc_dirname = 0;
258 + size_t alloca_used = 0;
261 if (pattern == NULL || pglob == NULL || (flags & ~__GLOB_FLAGS) != 0)
263 @@ -308,20 +313,26 @@ glob (pattern, flags, errfunc, pglob)
268 - char onealt[strlen (pattern) - 1];
270 - char *onealt = (char *) malloc (strlen (pattern) - 1);
271 - if (onealt == NULL)
273 + size_t pattern_len = strlen (pattern) - 1;
275 + int alloca_onealt = __libc_use_alloca (alloca_used + pattern_len);
277 + onealt = alloca_account (pattern_len, alloca_used);
281 - if (!(flags & GLOB_APPEND))
282 + onealt = (char *) malloc (pattern_len);
283 + if (onealt == NULL)
285 - pglob->gl_pathc = 0;
286 - pglob->gl_pathv = NULL;
287 + if (!(flags & GLOB_APPEND))
289 + pglob->gl_pathc = 0;
290 + pglob->gl_pathv = NULL;
292 + return GLOB_NOSPACE;
294 - return GLOB_NOSPACE;
298 /* We know the prefix for all sub-patterns. */
299 alt_start = mempcpy (onealt, pattern, begin - pattern);
300 @@ -332,9 +343,11 @@ glob (pattern, flags, errfunc, pglob)
303 /* It is an illegal expression. */
308 + if (__builtin_expect (!alloca_onealt, 0))
311 return glob (pattern, flags & ~GLOB_BRACE, errfunc, pglob);
314 @@ -344,13 +357,8 @@ glob (pattern, flags, errfunc, pglob)
316 rest = next_brace_sub (rest + 1, flags);
319 - /* It is an illegal expression. */
323 - return glob (pattern, flags & ~GLOB_BRACE, errfunc, pglob);
325 + /* It is an illegal expression. */
326 + goto illegal_brace;
328 /* Please note that we now can be sure the brace expression
330 @@ -386,9 +394,10 @@ glob (pattern, flags, errfunc, pglob)
331 /* If we got an error, return it. */
332 if (result && result != GLOB_NOMATCH)
337 + if (__builtin_expect (!alloca_onealt, 0))
340 if (!(flags & GLOB_APPEND))
343 @@ -406,9 +415,10 @@ glob (pattern, flags, errfunc, pglob)
344 assert (next != NULL);
350 + if (__builtin_expect (!alloca_onealt, 0))
354 if (pglob->gl_pathc != firstc)
355 /* We found some entries. */
356 @@ -455,7 +465,7 @@ glob (pattern, flags, errfunc, pglob)
357 case is nothing but a notation for a directory. */
358 if ((flags & (GLOB_TILDE|GLOB_TILDE_CHECK)) && pattern[0] == '~')
361 + dirname = (char *) pattern;
362 dirlen = strlen (pattern);
364 /* Set FILENAME to NULL as a special flag. This is ugly but
365 @@ -473,9 +483,9 @@ glob (pattern, flags, errfunc, pglob)
370 + dirname = (char *) "";
373 + dirname = (char *) ".";
377 @@ -485,7 +495,7 @@ glob (pattern, flags, errfunc, pglob)
378 && (flags & GLOB_NOESCAPE) == 0))
380 /* "/pattern" or "\\/pattern". */
382 + dirname = (char *) "/";
386 @@ -511,7 +521,17 @@ glob (pattern, flags, errfunc, pglob)
387 from "d:/", since "d:" and "d:/" are not the same.*/
390 - newp = (char *) __alloca (dirlen + 1);
392 + if (__libc_use_alloca (alloca_used + dirlen + 1))
393 + newp = alloca_account (dirlen + 1, alloca_used);
397 + newp = malloc (dirlen + 1);
399 + return GLOB_NOSPACE;
400 + malloc_dirname = 1;
402 *((char *) mempcpy (newp, pattern, dirlen)) = '\0';
405 @@ -551,7 +571,8 @@ glob (pattern, flags, errfunc, pglob)
406 oldcount = pglob->gl_pathc + pglob->gl_offs;
415 @@ -563,7 +584,8 @@ glob (pattern, flags, errfunc, pglob)
416 && (dirname[2] == '\0' || dirname[2] == '/')))
418 /* Look up home directory. */
419 - const char *home_dir = getenv ("HOME");
420 + char *home_dir = getenv ("HOME");
421 + int malloc_home_dir = 0;
423 if (home_dir == NULL || home_dir[0] == '\0')
425 @@ -582,7 +604,7 @@ glob (pattern, flags, errfunc, pglob)
426 /* `sysconf' does not support _SC_LOGIN_NAME_MAX. Try
429 - name = (char *) __alloca (buflen);
430 + name = alloca_account (buflen, alloca_used);
432 success = getlogin_r (name, buflen) == 0;
434 @@ -592,6 +614,7 @@ glob (pattern, flags, errfunc, pglob)
435 long int pwbuflen = GETPW_R_SIZE_MAX ();
438 + int malloc_pwtmpbuf = 0;
442 @@ -600,7 +623,18 @@ glob (pattern, flags, errfunc, pglob)
443 Try a moderate value. */
446 - pwtmpbuf = (char *) __alloca (pwbuflen);
447 + if (__libc_use_alloca (alloca_used + pwbuflen))
448 + pwtmpbuf = alloca_account (pwbuflen, alloca_used);
451 + pwtmpbuf = malloc (pwbuflen);
452 + if (pwtmpbuf == NULL)
454 + retval = GLOB_NOSPACE;
457 + malloc_pwtmpbuf = 1;
460 while (getpwnam_r (name, &pwbuf, pwtmpbuf, pwbuflen, &p)
462 @@ -610,46 +644,115 @@ glob (pattern, flags, errfunc, pglob)
467 - pwtmpbuf = extend_alloca (pwtmpbuf, pwbuflen,
469 + if (!malloc_pwtmpbuf
470 + && __libc_use_alloca (alloca_used
472 + pwtmpbuf = extend_alloca_account (pwtmpbuf, pwbuflen,
477 + char *newp = realloc (malloc_pwtmpbuf
482 - pwtmpbuf = (char *) __alloca (pwbuflen);
486 + if (__builtin_expect (malloc_pwtmpbuf, 0))
488 + retval = GLOB_NOSPACE;
492 + pwbuflen = 2 * pwbuflen;
493 + malloc_pwtmpbuf = 1;
501 - home_dir = p->pw_dir;
503 + if (!malloc_pwtmpbuf)
504 + home_dir = p->pw_dir;
507 + size_t home_dir_len = strlen (p->pw_dir) + 1;
508 + if (__libc_use_alloca (alloca_used + home_dir_len))
509 + home_dir = alloca_account (home_dir_len,
513 + home_dir = malloc (home_dir_len);
514 + if (home_dir == NULL)
517 + retval = GLOB_NOSPACE;
520 + malloc_home_dir = 1;
522 + memcpy (home_dir, p->pw_dir, home_dir_len);
529 if (home_dir == NULL || home_dir[0] == '\0')
531 if (flags & GLOB_TILDE_CHECK)
532 - return GLOB_NOMATCH;
534 + if (__builtin_expect (malloc_home_dir, 0))
536 + retval = GLOB_NOMATCH;
540 - home_dir = "~"; /* No luck. */
541 + home_dir = (char *) "~"; /* No luck. */
543 # endif /* WINDOWS32 */
545 /* Now construct the full directory. */
546 if (dirname[1] == '\0')
548 + if (__builtin_expect (malloc_dirname, 0))
552 dirlen = strlen (dirname);
553 + malloc_dirname = malloc_home_dir;
558 size_t home_len = strlen (home_dir);
559 - newp = (char *) __alloca (home_len + dirlen);
560 + int use_alloca = __libc_use_alloca (alloca_used
561 + + home_len + dirlen);
563 + newp = alloca_account (home_len + dirlen, alloca_used);
566 + newp = malloc (home_len + dirlen);
569 + if (__builtin_expect (malloc_home_dir, 0))
571 + retval = GLOB_NOSPACE;
576 mempcpy (mempcpy (newp, home_dir, home_len),
577 &dirname[1], dirlen);
579 + if (__builtin_expect (malloc_dirname, 0))
583 dirlen += home_len - 1;
584 + malloc_dirname = !use_alloca;
586 dirname_modified = 1;
588 @@ -657,7 +760,8 @@ glob (pattern, flags, errfunc, pglob)
591 char *end_name = strchr (dirname, '/');
592 - const char *user_name;
594 + int malloc_user_name = 0;
595 const char *home_dir;
596 char *unescape = NULL;
598 @@ -677,7 +781,18 @@ glob (pattern, flags, errfunc, pglob)
602 - newp = (char *) __alloca (end_name - dirname);
603 + if (__libc_use_alloca (alloca_used + (end_name - dirname)))
604 + newp = alloca_account (end_name - dirname, alloca_used);
607 + newp = malloc (end_name - dirname);
610 + retval = GLOB_NOSPACE;
613 + malloc_user_name = 1;
615 if (unescape != NULL)
617 char *p = mempcpy (newp, dirname + 1,
618 @@ -714,6 +829,7 @@ glob (pattern, flags, errfunc, pglob)
619 # if defined HAVE_GETPWNAM_R || defined _LIBC
620 long int buflen = GETPW_R_SIZE_MAX ();
622 + int malloc_pwtmpbuf = 0;
626 @@ -723,7 +839,21 @@ glob (pattern, flags, errfunc, pglob)
630 - pwtmpbuf = (char *) __alloca (buflen);
631 + if (__libc_use_alloca (alloca_used + buflen))
632 + pwtmpbuf = alloca_account (buflen, alloca_used);
635 + pwtmpbuf = malloc (buflen);
636 + if (pwtmpbuf == NULL)
639 + if (__builtin_expect (malloc_user_name, 0))
641 + retval = GLOB_NOSPACE;
644 + malloc_pwtmpbuf = 1;
647 while (getpwnam_r (user_name, &pwbuf, pwtmpbuf, buflen, &p) != 0)
649 @@ -732,40 +862,77 @@ glob (pattern, flags, errfunc, pglob)
654 - pwtmpbuf = extend_alloca (pwtmpbuf, buflen, 2 * buflen);
657 - pwtmpbuf = __alloca (buflen);
659 + if (!malloc_pwtmpbuf
660 + && __libc_use_alloca (alloca_used + 2 * buflen))
661 + pwtmpbuf = extend_alloca_account (pwtmpbuf, buflen,
662 + 2 * buflen, alloca_used);
665 + char *newp = realloc (malloc_pwtmpbuf ? pwtmpbuf : NULL,
669 + if (__builtin_expect (malloc_pwtmpbuf, 0))
674 + malloc_pwtmpbuf = 1;
679 p = getpwnam (user_name);
682 + if (__builtin_expect (malloc_user_name, 0))
685 + /* If we found a home directory use this. */
687 - home_dir = p->pw_dir;
689 + size_t home_len = strlen (p->pw_dir);
690 + size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
692 + if (__builtin_expect (malloc_dirname, 0))
694 + malloc_dirname = 0;
696 + if (__libc_use_alloca (alloca_used + home_len + rest_len + 1))
697 + dirname = alloca_account (home_len + rest_len + 1,
701 + dirname = malloc (home_len + rest_len + 1);
702 + if (dirname == NULL)
704 + if (__builtin_expect (malloc_pwtmpbuf, 0))
706 + retval = GLOB_NOSPACE;
709 + malloc_dirname = 1;
711 + *((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
712 + end_name, rest_len)) = '\0';
714 + dirlen = home_len + rest_len;
715 + dirname_modified = 1;
717 + if (__builtin_expect (malloc_pwtmpbuf, 0))
723 + if (__builtin_expect (malloc_pwtmpbuf, 0))
726 + if (flags & GLOB_TILDE_CHECK)
727 + /* We have to regard it as an error if we cannot find the
729 + return GLOB_NOMATCH;
732 - /* If we found a home directory use this. */
733 - if (home_dir != NULL)
736 - size_t home_len = strlen (home_dir);
737 - size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
738 - newp = (char *) __alloca (home_len + rest_len + 1);
739 - *((char *) mempcpy (mempcpy (newp, home_dir, home_len),
740 - end_name, rest_len)) = '\0';
742 - dirlen = home_len + rest_len;
743 - dirname_modified = 1;
746 - if (flags & GLOB_TILDE_CHECK)
747 - /* We have to regard it as an error if we cannot find the
749 - return GLOB_NOMATCH;
751 # endif /* Not Amiga && not WINDOWS32. */
753 @@ -899,7 +1066,7 @@ glob (pattern, flags, errfunc, pglob)
754 status = glob_in_dir (filename, dirs.gl_pathv[i],
755 ((flags | GLOB_APPEND)
756 & ~(GLOB_NOCHECK | GLOB_NOMAGIC)),
758 + errfunc, pglob, alloca_used);
759 if (status == GLOB_NOMATCH)
760 /* No matches in this directory. Try the next. */
762 @@ -1000,7 +1167,8 @@ glob (pattern, flags, errfunc, pglob)
764 if (dirname_modified)
765 flags &= ~(GLOB_NOCHECK | GLOB_NOMAGIC);
766 - status = glob_in_dir (filename, dirname, flags, errfunc, pglob);
767 + status = glob_in_dir (filename, dirname, flags, errfunc, pglob,
771 if (status == GLOB_NOMATCH && flags != orig_flags
772 @@ -1063,7 +1231,11 @@ glob (pattern, flags, errfunc, pglob)
773 sizeof (char *), collated_compare);
778 + if (__builtin_expect (malloc_dirname, 0))
783 #if defined _LIBC && !defined glob
784 libc_hidden_def (glob)
785 @@ -1273,7 +1445,7 @@ link_exists2_p (const char *dir, size_t dirlen, const char *fname,
787 glob_in_dir (const char *pattern, const char *directory, int flags,
788 int (*errfunc) (const char *, int),
790 + glob_t *pglob, size_t alloca_used)
792 size_t dirlen = strlen (directory);
794 @@ -1288,11 +1460,12 @@ glob_in_dir (const char *pattern, const char *directory, int flags,
795 struct globnames *names = &init_names;
796 struct globnames *names_alloca = &init_names;
798 - size_t allocasize = sizeof (init_names);
803 + alloca_used += sizeof (init_names);
805 init_names.next = NULL;
806 init_names.count = INITIAL_COUNT;
808 @@ -1308,20 +1481,36 @@ glob_in_dir (const char *pattern, const char *directory, int flags,
810 /* Since we use the normal file functions we can also use stat()
811 to verify the file is there. */
813 - struct_stat64 st64;
817 + struct_stat64 st64;
819 size_t patlen = strlen (pattern);
820 - char *fullname = (char *) __alloca (dirlen + 1 + patlen + 1);
821 + int alloca_fullname = __libc_use_alloca (alloca_used
822 + + dirlen + 1 + patlen + 1);
824 + if (alloca_fullname)
825 + fullname = alloca_account (dirlen + 1 + patlen + 1, alloca_used);
828 + fullname = malloc (dirlen + 1 + patlen + 1);
829 + if (fullname == NULL)
830 + return GLOB_NOSPACE;
833 mempcpy (mempcpy (mempcpy (fullname, directory, dirlen),
835 pattern, patlen + 1);
836 if ((__builtin_expect (flags & GLOB_ALTDIRFUNC, 0)
837 - ? (*pglob->gl_stat) (fullname, &st)
838 - : __stat64 (fullname, &st64)) == 0)
839 + ? (*pglob->gl_stat) (fullname, &ust.st)
840 + : __stat64 (fullname, &ust.st64)) == 0)
841 /* We found this file to be existing. Now tell the rest
842 of the function to copy this name into the result. */
843 flags |= GLOB_NOCHECK;
845 + if (__builtin_expect (!alloca_fullname, 0))
850 @@ -1409,9 +1598,9 @@ glob_in_dir (const char *pattern, const char *directory, int flags,
851 size_t size = (sizeof (struct globnames)
852 + ((count - INITIAL_COUNT)
854 - allocasize += size;
855 - if (__libc_use_alloca (allocasize))
856 - newnames = names_alloca = __alloca (size);
857 + if (__libc_use_alloca (alloca_used + size))
858 + newnames = names_alloca
859 + = alloca_account (size, alloca_used);
860 else if ((newnames = malloc (size))