lib: Add MALLOC_MULTIPLY() and MALLOC_ADD()

These can be used for calculating memory allocation sizes. If there's an
overflow, the macro panics.

diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am
index 451a5141ca21d121944892509dd91edcb2fd4fb5..5a7d19d4f8b8d5348ae11d045faab7c64d830668 100644 (file)
--- a/src/lib/Makefile.am
+++ b/src/lib/Makefile.am
@@ -241,6 +241,7 @@ headers = \
        macros.h \
        md4.h \
        md5.h \
+       malloc-overflow.h \
        mempool.h \
        mkdir-parents.h \
        mmap-util.h \
@@ -346,6 +347,7 @@ test_lib_SOURCES = \
        test-json-tree.c \
        test-llist.c \
        test-log-throttle.c \
+       test-malloc-overflow.c \
        test-mempool-alloconly.c \
        test-pkcs5.c \
        test-net.c \

diff --git a/src/lib/lib.h b/src/lib/lib.h
index fa386892ae89152c380725a42bdcc1b8fc787870..672ce446ce49d62d321d63a4fc7f4937744d82d2 100644 (file)
--- a/src/lib/lib.h
+++ b/src/lib/lib.h
@@ -26,6 +26,7 @@
 #include "macros.h"
 #include "failures.h"
 
+#include "malloc-overflow.h"
 #include "data-stack.h"
 #include "mempool.h"
 #include "imem.h"

diff --git a/src/lib/malloc-overflow.h b/src/lib/malloc-overflow.h
new file mode 100644 (file)
index 0000000..830677a
--- /dev/null
+++ b/src/lib/malloc-overflow.h
@@ -0,0 +1,42 @@
+#ifndef MALLOC_OVERFLOW_H
+#define MALLOC_OVERFLOW_H
+
+/* MALLOC_*() can be used to calculate memory allocation sizes. If there's an
+   overflow, it'll cleanly panic instead of causing a potential buffer
+   overflow.
+
+   Note that *_malloc(size+1) doesn't need to use MALLOC_ADD(size, 1). It wraps
+   to size==0 and the *_malloc() calls already panic if size==0. */
+static inline size_t
+malloc_multiply_check(size_t a, size_t b, size_t sizeof_a, size_t sizeof_b,
+                     const char *fname, unsigned int linenum)
+{
+       /* the first sizeof-checks are intended to optimize away this entire
+          if-check for types that are small enough to never wrap size_t. */
+       if ((sizeof_a * 2 > sizeof(size_t) || sizeof_b * 2 > sizeof(size_t)) &&
+           b != 0 && (a > SIZE_MAX / b)) {
+               i_panic("file %s: line %d: memory allocation overflow: "
+                       "%" PRIuSIZE_T" * %" PRIuSIZE_T, fname, linenum, a, b);
+       }
+       return a * b;
+}
+#define MALLOC_MULTIPLY(a, b) \
+       malloc_multiply_check(a, b, sizeof(a), sizeof(b), __FILE__, __LINE__)
+
+static inline size_t
+malloc_add_check(size_t a, size_t b, size_t sizeof_a, size_t sizeof_b,
+                const char *fname, unsigned int linenum)
+{
+       /* the first sizeof-checks are intended to optimize away this entire
+          if-check for types that are small enough to never wrap size_t. */
+       if ((sizeof_a >= sizeof(size_t) || sizeof_b >= sizeof(size_t)) &&
+           SIZE_MAX - a < b) {
+               i_panic("file %s: line %d: memory allocation overflow: "
+                       "%" PRIuSIZE_T" + %" PRIuSIZE_T, fname, linenum, a, b);
+       }
+       return a + b;
+}
+#define MALLOC_ADD(a, b) \
+       malloc_add_check(a, b, sizeof(a), sizeof(b), __FILE__, __LINE__)
+
+#endif

diff --git a/src/lib/test-lib.inc b/src/lib/test-lib.inc
index 6968bc91172d309816facf6a71ca83e70f5e1887..10d6a8364aa8899092566767c840c3e1aaee3708 100644 (file)
--- a/src/lib/test-lib.inc
+++ b/src/lib/test-lib.inc
@@ -39,6 +39,8 @@ TEST(test_json_parser)
 TEST(test_json_tree)
 TEST(test_llist)
 TEST(test_log_throttle)
+TEST(test_malloc_overflow)
+FATAL(fatal_malloc_overflow)
 TEST(test_mempool_alloconly)
 FATAL(fatal_mempool)
 TEST(test_net)

diff --git a/src/lib/test-malloc-overflow.c b/src/lib/test-malloc-overflow.c
new file mode 100644 (file)
index 0000000..8a2cc82
--- /dev/null
+++ b/src/lib/test-malloc-overflow.c
@@ -0,0 +1,137 @@
+/* Copyright (c) 2016 Dovecot authors, see the included COPYING file */
+
+#include "test-lib.h"
+
+static void test_malloc_overflow_multiply(void)
+{
+       const struct {
+               size_t a, b;
+       } tests[] = {
+               { 0, SIZE_MAX },
+               { 1, SIZE_MAX },
+               { SIZE_MAX/2, 2 },
+       };
+       test_begin("MALLOC_MULTIPLY()");
+       for (unsigned int i = 0; i < N_ELEMENTS(tests); i++) {
+               test_assert_idx(MALLOC_MULTIPLY(tests[i].a, tests[i].b) == tests[i].a * tests[i].b, i);
+               test_assert_idx(MALLOC_MULTIPLY(tests[i].b, tests[i].a) == tests[i].b * tests[i].a, i);
+       }
+       test_end();
+}
+
+static void test_malloc_overflow_add(void)
+{
+       const struct {
+               size_t a, b;
+       } tests[] = {
+               { 0, SIZE_MAX },
+               { 1, SIZE_MAX-1 },
+               { SIZE_MAX/2+1, SIZE_MAX/2 },
+       };
+       unsigned short n = 2;
+
+       test_begin("MALLOC_ADD()");
+       /* check that no compiler warning is given */
+       test_assert(MALLOC_ADD(2, n) == 2+n);
+       for (unsigned int i = 0; i < N_ELEMENTS(tests); i++) {
+               test_assert_idx(MALLOC_ADD(tests[i].a, tests[i].b) == tests[i].a + tests[i].b, i);
+               test_assert_idx(MALLOC_ADD(tests[i].b, tests[i].a) == tests[i].b + tests[i].a, i);
+       }
+       test_end();
+}
+
+void test_malloc_overflow(void)
+{
+       test_malloc_overflow_multiply();
+       test_malloc_overflow_add();
+}
+
+static enum fatal_test_state fatal_malloc_overflow_multiply(unsigned int *stage)
+{
+       const struct {
+               size_t a, b;
+       } mul_tests[] = {
+               { SIZE_MAX/2+1, 2 },
+       };
+       unsigned int i;
+
+       switch (*stage) {
+       case 0:
+               test_begin("MALLOC_MULTIPLY() overflows");
+               i_error("%"PRIuSIZE_T, MALLOC_MULTIPLY((size_t)SIZE_MAX/2, (uint8_t)3));
+               break;
+       case 1:
+               i_error("%"PRIuSIZE_T, MALLOC_MULTIPLY((uint8_t)3, (size_t)SIZE_MAX/2));
+               break;
+       }
+       *stage -= 2;
+
+       if (*stage >= N_ELEMENTS(mul_tests)*2) {
+               *stage -= N_ELEMENTS(mul_tests)*2;
+               if (*stage == 0)
+                       test_end();
+               return FATAL_TEST_FINISHED;
+       }
+       i = *stage / 2;
+
+       if (*stage % 2 == 0)
+               i_error("%"PRIuSIZE_T, MALLOC_MULTIPLY(mul_tests[i].a, mul_tests[i].b));
+       else
+               i_error("%"PRIuSIZE_T, MALLOC_MULTIPLY(mul_tests[i].b, mul_tests[i].a));
+       return FATAL_TEST_FAILURE;
+}
+
+static enum fatal_test_state fatal_malloc_overflow_add(unsigned int *stage)
+{
+       const struct {
+               size_t a, b;
+       } add_tests[] = {
+               { SIZE_MAX, 1 },
+               { SIZE_MAX/2+1, SIZE_MAX/2+1 },
+       };
+       unsigned int i;
+
+       switch (*stage) {
+       case 0:
+               test_begin("MALLOC_ADD() overflows");
+               i_error("%"PRIuSIZE_T, MALLOC_ADD((size_t)SIZE_MAX, (uint8_t)1));
+               break;
+       case 1:
+               i_error("%"PRIuSIZE_T, MALLOC_ADD((uint8_t)1, (size_t)SIZE_MAX));
+               break;
+       }
+       *stage -= 2;
+
+       if (*stage >= N_ELEMENTS(add_tests)*2) {
+               *stage -= N_ELEMENTS(add_tests)*2;
+               if (*stage == 0)
+                       test_end();
+               return FATAL_TEST_FINISHED;
+       }
+       i = *stage / 2;
+
+       if (*stage % 2 == 0)
+               i_error("%"PRIuSIZE_T, MALLOC_ADD(add_tests[i].a, add_tests[i].b));
+       else
+               i_error("%"PRIuSIZE_T, MALLOC_ADD(add_tests[i].b, add_tests[i].a));
+       return FATAL_TEST_FAILURE;
+}
+
+enum fatal_test_state fatal_malloc_overflow(unsigned int stage)
+{
+       enum fatal_test_state state;
+
+       state = fatal_malloc_overflow_multiply(&stage);
+       if (state != FATAL_TEST_FINISHED)
+               return state;
+       return fatal_malloc_overflow_add(&stage);
+
+       /* individual checks */
+       switch (stage) {
+       case 0:
+               if (stage == 0)
+                       test_begin("MALLOC_MULTIPLY() overflows");
+               break;
+       }
+       return FATAL_TEST_FINISHED;
+}