Re: Harden iptables memory allocator

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 2015-05-22 13:51, Loganaden Velvindron wrote:
>On Fri, May 22, 2015 at 10:59:44AM +0200, Jan Engelhardt wrote:
>> 
>> On Friday 2015-05-22 10:50, Hannes Frederic Sowa wrote:
>> >
>> >> + if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) &&
>> >
>> >if ((nmemb|size) >= MUL_NO_OVERFLOW) && ...
>> 
>> I am sure there are many C tricks one can do, but iptables is
>> hardly that time-critical to warrant such.
>
>The same can be said of ipset, which uses strlcpy and has strlcat in 
>its library. However, those are safer APIs to use.
>
>In this particular case, it's safer to use reallocarray(NULL,x,y) rather than
>malloc(x*y).

My comment was not about reallocarray–malloc, but about the
not-immediately-self-explanatory expression ((a|b) >= x) which to
me sounds like a Google interview question similar to "what would
(x&~(x-1))==x do".
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux