Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify that the requested allocation size does not overflow. #109

Merged
merged 2 commits into from
Jul 25, 2018
Merged

Verify that the requested allocation size does not overflow. #109

merged 2 commits into from
Jul 25, 2018

Conversation

malsbat
Copy link
Contributor

@malsbat malsbat commented Jul 23, 2018

Signed-off-by: Todd Malsbary todd.malsbary@intel.com

@malsbat
Verify that the requested allocation size does not overflow.
fe1255e 
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
@dirk-thomas dirk-thomas added the in review Waiting for review (Kanban column) label Jul 23, 2018
wjwwood
wjwwood reviewed Jul 24, 2018
View reviewed changes
Copy link
Member

@wjwwood wjwwood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change to string map might be fine, I had one question about it. @dhood might have more context on the change to the logging.

src/logging.c Outdated
@@ -417,9 +417,17 @@ void rcutils_log(
) \
size_t old_output_buffer_len = strlen(output_buffer); \
size_t required_output_buffer_size = old_output_buffer_len + n + 1; \
if (required_output_buffer_size <= old_output_buffer_len) { \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this the overflow case? If so a comment would be good to indicate this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is the overflow case. I can add a comment.

src/string_map.c
@@ -166,6 +167,12 @@ rcutils_string_map_reserve(rcutils_string_map_t * string_map, size_t capacity)
// note that realloc when the pointer is NULL is the same as malloc
// note also that realloc will shrink the space if needed

// ensure that reallocate won't overflow capacity
if (capacity > (SIZE_MAX / sizeof(char *))) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain in what cases this might occur?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not trace down all the callers of rcutils_string_map_reserve so it may not occur in practice today. However, it may occur if the requested capacity is greater than SIZE_MAX / 4 or SIZE_MAX / 8, depending on the pointer size.

I'll also note that glibc provides an explicit reallocarray() function that is the same as realloc() but includes the overflow check as done here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can consider adding a wrapper function in rcutils/allocator.h to preform this check if you like, I already created a reallocf function along these lines:

  • rcutils/include/rcutils/allocator.h

    Lines 129 to 137 in 244fa98

    /// Emulate the behavior of [reallocf](https://linux.die.net/man/3/reallocf).
    /**
    * This function will return `NULL` if the allocator is `NULL` or has `NULL` for
    * function pointer fields.
    */
    RCUTILS_PUBLIC
    RCUTILS_WARN_UNUSED
    void *
    rcutils_reallocf(void * pointer, size_t size, rcutils_allocator_t * allocator);

  • rcutils/src/allocator.c

    Lines 100 to 117 in 244fa98

    void *
    rcutils_reallocf(void * pointer, size_t size, rcutils_allocator_t * allocator)
    {
    if (!rcutils_allocator_is_valid(allocator)) {
    // cannot deallocate pointer, so print message to stderr and return NULL
    #if RCUTILS_REPORT_ERROR_HANDLING_ERRORS
    RCUTILS_SAFE_FWRITE_TO_STDERR(
    "[rcutils|allocator.c:" RCUTILS_STRINGIFY(__LINE__) "] rcutils_reallocf(): "
    "invalid allocator or allocator function pointers, memory leaked\n");
    #endif
    return NULL;
    }
    void * new_pointer = allocator->reallocate(pointer, size, allocator->state);
    if (NULL == new_pointer) {
    allocator->deallocate(pointer, allocator->state);
    }
    return new_pointer;
    }

Otherwise, this check here seems fine.

malsbat
malsbat commented Jul 24, 2018
View reviewed changes
Copy link
Contributor Author

@malsbat malsbat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks William for taking a look.

src/logging.c Outdated
@@ -417,9 +417,17 @@ void rcutils_log(
) \
size_t old_output_buffer_len = strlen(output_buffer); \
size_t required_output_buffer_size = old_output_buffer_len + n + 1; \
if (required_output_buffer_size <= old_output_buffer_len) { \
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is the overflow case. I can add a comment.

src/string_map.c
@@ -166,6 +167,12 @@ rcutils_string_map_reserve(rcutils_string_map_t * string_map, size_t capacity)
// note that realloc when the pointer is NULL is the same as malloc
// note also that realloc will shrink the space if needed

// ensure that reallocate won't overflow capacity
if (capacity > (SIZE_MAX / sizeof(char *))) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not trace down all the callers of rcutils_string_map_reserve so it may not occur in practice today. However, it may occur if the requested capacity is greater than SIZE_MAX / 4 or SIZE_MAX / 8, depending on the pointer size.

I'll also note that glibc provides an explicit reallocarray() function that is the same as realloc() but includes the overflow check as done here.

wjwwood
wjwwood approved these changes Jul 24, 2018
View reviewed changes
Copy link
Member

@wjwwood wjwwood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm with the comment and ideally with @dhood's feedback, but once you make the comment I'll start some CI for you

src/string_map.c
@@ -166,6 +167,12 @@ rcutils_string_map_reserve(rcutils_string_map_t * string_map, size_t capacity)
// note that realloc when the pointer is NULL is the same as malloc
// note also that realloc will shrink the space if needed

// ensure that reallocate won't overflow capacity
if (capacity > (SIZE_MAX / sizeof(char *))) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can consider adding a wrapper function in rcutils/allocator.h to preform this check if you like, I already created a reallocf function along these lines:

  • rcutils/include/rcutils/allocator.h

    Lines 129 to 137 in 244fa98

    /// Emulate the behavior of [reallocf](https://linux.die.net/man/3/reallocf).
    /**
    * This function will return `NULL` if the allocator is `NULL` or has `NULL` for
    * function pointer fields.
    */
    RCUTILS_PUBLIC
    RCUTILS_WARN_UNUSED
    void *
    rcutils_reallocf(void * pointer, size_t size, rcutils_allocator_t * allocator);

  • rcutils/src/allocator.c

    Lines 100 to 117 in 244fa98

    void *
    rcutils_reallocf(void * pointer, size_t size, rcutils_allocator_t * allocator)
    {
    if (!rcutils_allocator_is_valid(allocator)) {
    // cannot deallocate pointer, so print message to stderr and return NULL
    #if RCUTILS_REPORT_ERROR_HANDLING_ERRORS
    RCUTILS_SAFE_FWRITE_TO_STDERR(
    "[rcutils|allocator.c:" RCUTILS_STRINGIFY(__LINE__) "] rcutils_reallocf(): "
    "invalid allocator or allocator function pointers, memory leaked\n");
    #endif
    return NULL;
    }
    void * new_pointer = allocator->reallocate(pointer, size, allocator->state);
    if (NULL == new_pointer) {
    allocator->deallocate(pointer, allocator->state);
    }
    return new_pointer;
    }

Otherwise, this check here seems fine.

@malsbat
Add comment to clarify overflow calculation.
488e398 
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
@wjwwood
Copy link
Member

wjwwood commented Jul 24, 2018

Thanks here's some CI:

  • Linux Build Status
  • Linux-aarch64 Build Status
  • macOS Build Status
  • Windows Build Status

@wjwwood
Copy link
Member

wjwwood commented Jul 25, 2018

Ok, I'm going to go ahead and merge this. @dhood if you have any retroactive comments we can address them in a follow up pr.

@wjwwood wjwwood merged commit d757928 into ros2:master Jul 25, 2018
@wjwwood wjwwood removed the in review Waiting for review (Kanban column) label Jul 25, 2018
@dhood
Copy link
Member

dhood commented Jul 25, 2018

no comment, looks good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wjwwood wjwwood wjwwood approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@malsbat @wjwwood @dhood @dirk-thomas