Refactor isc_mem_get et al. for safer allocation size calculations
If there is an integer overflow when calculating an allocation size the new memory on the heap can be too small leading to a heap buffer overflow.
To make it easier to use checked arithmetic for allocation sizes, change isc_mem_get()
to allocate an array by default. Like calloc()
, it now takes two size arguments: an element count, and an element size. (Unlike calloc()
, however, ISC_MEM_ZERO
must be requested explicitly.)
There is also a new extended variant, isc_mem_getfx()
for allocating a struct
with a flexible array member. It uses a checked multiply-add to calculate the size.
Most of this change is done by Coccinelle. However, Coccinelle's parser has trouble with some of BIND's macros, so the refactoring is done in three stages: suppress the problematic macros; apply the spatch
; then revert the suppression.
The spatch
is generated by a perl script, because it is very repetitive handling all the variants of isc_mem_get()
, isc_mem_put()
, etc., with and without flags.