View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000545 | LDMud 3.3 | Implementation | public | 2008-07-02 03:48 | 2011-02-23 22:02 |
| Reporter | zesstra | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | N/A |
| Status | new | Resolution | open | ||
| Product Version | 3.3 | ||||
| Target Version | 3.3.721 | ||||
| Summary | 0000545: Usages of alloca() have to be checked for possible stack overflow | ||||
| Description | The driver contains some 69 calls to alloca(). They actually check if a NULL pointer is returned. Unfortunately, usual alloca() implementations don't return a NULL pointer upon stack overflow, they just move the stack pointer by the desired size and return it, no matter if the new pointer points to some area outside the stack. If alloca() is used for allocating memory for user supplied data, this can enable users to cause a crash or worse. We have to change such usages of alloca() and should not use it for anything else than to allocate small chunks of memory (e.g. <200 bytes). | ||||
| Tags | No tags attached. | ||||
| parent of | 0000532 | resolved | zesstra | restore_value() segfaults on large inputs on 64-bit Debian; alloca() related |
| parent of | 0000575 | resolved | zesstra | filter(<string>,...) may crash with large strings |
| parent of | 0000576 | resolved | zesstra | save_object() and restore_object() may crash with large argument strings |
| parent of | 0000577 | resolved | zesstra | Potential crashes in send_erq() and send_udp() due to stack overflow |
| parent of | 0000578 | resolved | zesstra | Potential crashes in regexplode(), process_string(), present_clone() |
| parent of | 0000580 | resolved | zesstra | Potential crash in load_object() due to stack overflow |
| parent of | 0000581 | resolved | zesstra | Potential crashes in rename_object() and replace_program() due to stack overflows |
| parent of | 0000582 | resolved | zesstra | Potential crash in db_conv_string() due to stack overflow |
|
|
BTW: All alloca() seem to have a check like if (!buf) errorf("out of stack memory"); following, as these will never be executed we should just remove them (or does anybody know a system where alloca() actually checks something as does not just increase the stack pointer?). |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2008-07-02 03:48 | zesstra | New Issue | |
| 2008-07-02 03:49 | zesstra | Relationship added | parent of 0000532 |
| 2008-07-02 04:34 | zesstra | Project | LDMud => LDMud 3.3 |
| 2008-07-18 14:08 | zesstra | Note Added: 0000750 | |
| 2008-09-23 04:54 | zesstra | Relationship added | parent of 0000575 |
| 2008-09-24 15:23 | zesstra | Relationship added | parent of 0000576 |
| 2008-09-28 13:38 | zesstra | Relationship added | parent of 0000577 |
| 2008-09-28 14:25 | zesstra | Relationship added | parent of 0000578 |
| 2008-10-01 15:07 | zesstra | Relationship added | parent of 0000580 |
| 2008-10-01 15:13 | zesstra | Relationship added | parent of 0000581 |
| 2008-10-01 15:18 | zesstra | Relationship added | parent of 0000582 |
| 2008-10-01 15:19 | zesstra | ETA | none => > 1 month |
| 2008-10-01 15:19 | zesstra | Summary | Usages of alloca() have to checked for possible stack overflow => Usages of alloca() have to be checked for possible stack overflow |
| 2011-02-23 22:02 | zesstra | Target Version | => 3.3.721 |
