Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <bebe5f59-0943-0f5c-cd12-f6afdc327e6e@cs.ucla.edu>
Date: Thu, 25 Feb 2021 11:57:58 -0800
From: Paul Eggert <eggert@...ucla.edu>
To: David Goldblatt <davidtgoldblatt@...il.com>
Cc: libc-coord@...ts.openwall.com
Subject: Re: Sized deallocation for C

The draft text says:

"If ptr is the result obtained from a call to malloc(size), 
realloc(old_ptr, size), or calloc(nmemb, memb_size), where nmemb * 
memb_size is equal to size, this function behaves equivalently to 
free(ptr)."

Suppose my code does the following but nmemb * memb_size overflows and 
does not fit into size_t:

  void
  sample (size_t nmemb, size_t memb_size)
  {
    void *ptr = calloc (nmemb, memb_size);
    if (ptr != NULL)
      do_something_with (ptr);
    free_sized (ptr, nmemb * memb_size);
  }

It's not clear from the wording whether behavior would be defined here, 
in the typical case where size_t is at least as width as int so the 
overflow wraps around in a well-defined way. Presumably the intent is 
that behavior should be defined. (Admittedly this is a weird corner 
case, but corner cases are what standards are for....)

A simple fix for this problem would be to change the above-quoted text 
to this:

"If ptr is a null pointer, or is the result obtained from a call to 
malloc(size), realloc(old_ptr, size), or calloc(nmemb, memb_size) where 
size is the mathematical product of nmemb and size, this function 
behaves equivalently to free(ptr)."

and similarly for free_aligned_sized. Plus, we add a requirement to 
calloc that it must return NULL if nmemb * memb_size does not fit into 
size_t.

Alternatively there could be a different 'free' function for calloc, but 
this proposal already has too many 'free' functions.

PS. Come to think of it, we could easily get by with one new 'free' 
function instead of two, as free_aligned_sized (ptr, 0, size) could take 
on the role of free_sized(ptr, size). I'd prefer this simplification.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.