From mboxrd@z Thu Jan 1 00:00:00 1970 From: Loganaden Velvindron Subject: Re: Harden iptables memory allocator Date: Fri, 22 May 2015 04:51:48 -0700 Message-ID: <20150522115148.GA1985@mx.elandsys.com> References: <1432284611.3364.14.camel@stressinduktion.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Hannes Frederic Sowa , Loganaden Velvindron , netfilter-devel@vger.kernel.org To: Jan Engelhardt Return-path: Received: from ns1.qubic.net ([208.69.177.116]:62474 "EHLO mx.elandsys.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756314AbbEVLwE (ORCPT ); Fri, 22 May 2015 07:52:04 -0400 Content-Disposition: inline In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org List-ID: On Fri, May 22, 2015 at 10:59:44AM +0200, Jan Engelhardt wrote: > > On Friday 2015-05-22 10:50, Hannes Frederic Sowa wrote: > > > >> + if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && > > > >if ((nmemb|size) >= MUL_NO_OVERFLOW) && ... > > I am sure there are many C tricks one can do, but iptables is > hardly that time-critical to warrant such. The same can be said of ipset, which uses strlcpy and has strlcat in its library. However, those are safer APIs to use. In this particular case, it's safer to use reallocarray(NULL,x,y) rather than malloc(x*y). (Many other less critical software such as m4 have also adopted reallocarray). > The compiler should perhaps learn to do such an optimization > if it does not already. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html