View Issue Details

IDProjectCategoryView StatusLast Update
0000545LDMud 3.3Implementationpublic2011-02-23 22:02
Reporterzesstra Assigned To 
PrioritynormalSeveritymajorReproducibilityN/A
Status newResolutionopen 
Product Version3.3 
Target Version3.3.721 
Summary0000545: Usages of alloca() have to be checked for possible stack overflow
DescriptionThe driver contains some 69 calls to alloca(). They actually check if a NULL pointer is returned. Unfortunately, usual alloca() implementations don't return a NULL pointer upon stack overflow, they just move the stack pointer by the desired size and return it, no matter if the new pointer points to some area outside the stack.
If alloca() is used for allocating memory for user supplied data, this can enable users to cause a crash or worse.
We have to change such usages of alloca() and should not use it for anything else than to allocate small chunks of memory (e.g. <200 bytes).
TagsNo tags attached.

Relationships

parent of 0000532 resolvedzesstra restore_value() segfaults on large inputs on 64-bit Debian; alloca() related 
parent of 0000575 resolvedzesstra filter(<string>,...) may crash with large strings 
parent of 0000576 resolvedzesstra save_object() and restore_object() may crash with large argument strings 
parent of 0000577 resolvedzesstra Potential crashes in send_erq() and send_udp() due to stack overflow 
parent of 0000578 resolvedzesstra Potential crashes in regexplode(), process_string(), present_clone() 
parent of 0000580 resolvedzesstra Potential crash in load_object() due to stack overflow 
parent of 0000581 resolvedzesstra Potential crashes in rename_object() and replace_program() due to stack overflows 
parent of 0000582 resolvedzesstra Potential crash in db_conv_string() due to stack overflow 

Activities

zesstra

2008-07-18 14:08

administrator   ~0000750

BTW: All alloca() seem to have a check like if (!buf) errorf("out of stack memory"); following, as these will never be executed we should just remove them (or does anybody know a system where alloca() actually checks something as does not just increase the stack pointer?).

Issue History

Date Modified Username Field Change
2008-07-02 03:48 zesstra New Issue
2008-07-02 03:49 zesstra Relationship added parent of 0000532
2008-07-02 04:34 zesstra Project LDMud => LDMud 3.3
2008-07-18 14:08 zesstra Note Added: 0000750
2008-09-23 04:54 zesstra Relationship added parent of 0000575
2008-09-24 15:23 zesstra Relationship added parent of 0000576
2008-09-28 13:38 zesstra Relationship added parent of 0000577
2008-09-28 14:25 zesstra Relationship added parent of 0000578
2008-10-01 15:07 zesstra Relationship added parent of 0000580
2008-10-01 15:13 zesstra Relationship added parent of 0000581
2008-10-01 15:18 zesstra Relationship added parent of 0000582
2008-10-01 15:19 zesstra ETA none => > 1 month
2008-10-01 15:19 zesstra Summary Usages of alloca() have to checked for possible stack overflow => Usages of alloca() have to be checked for possible stack overflow
2011-02-23 22:02 zesstra Target Version => 3.3.721